CVE-2018-10843 — Improper Input Validation in Redhat Openshift Container Platform

CWE-20 — Improper Input Validation CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

8.8HIGHNVD

CNA8.5

EPSS

0.3%

top 49.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform

Timeline

PublishedJul 2

Latest updateMay 13

Description

source-to-image component of Openshift Container Platform before versions atomic-openshift 3.7.53, atomic-openshift 3.9.31 is vulnerable to a privilege escalation which allows the assemble script to run as the root user in a non-privileged container. An attacker can use this flaw to open network connections, and possibly other actions, on the host which are normally only available to a root user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/openshift_container_platform< 3.7.53+2

🔴Vulnerability Details

GHSA

GHSA-h5q5-9vcx-54g7: source-to-image component of Openshift Container Platform before versions atomic-openshift 3↗2022-05-13

▶

CVEList

CVE-2018-10843: source-to-image component of Openshift Container Platform before versions atomic-openshift 3↗2018-07-02

▶

📋Vendor Advisories

Red Hat

source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code↗2018-05-24

▶

💬Community

Bugzilla

CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code↗2018-05-17

▶