CVE-2018-14620 — Download of Code Without Integrity Check in RED HAT Openstack-rabbitmq-container

CWE-494 — Download of Code Without Integrity Check CWE-20 — Improper Input Validation5 documents5 sources

Severity

9.8CRITICALNVD

CNA4.7

EPSS

0.1%

top 68.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Openstack-rabbitmq-container Redhat Openstack

Timeline

PublishedSep 10

Latest updateMay 13

Description

The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image. Version of openstack-rabbitmq-container and openstack-containers as shipped with Red Hat Openstack 12, 13, 14 are believed to be vulnerable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5red_hat/openstack-rabbitmq-container12, 13, 14

▶NVDredhat/openstack12, 13+1

🔴Vulnerability Details

GHSA

GHSA-w9j2-jxm7-7f2v: The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage↗2022-05-13

▶

CVEList

CVE-2018-14620: The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage↗2018-09-10

▶

📋Vendor Advisories

Red Hat

openstack-rabbitmq-container: Insecure download of rabbitmq_clusterer during docker build↗2018-09-10

▶

💬Community

Bugzilla

CVE-2018-14620 openstack-rabbitmq-container: Insecure download of rabbitmq_clusterer during docker build↗2018-09-10

▶