CVE-2019-10165 — Log File Information Exposure in Redhat Openshift Container Platform

CWE-532 — Log File Information Exposure5 documents5 sources

Severity

2.3LOWNVD

EPSS

0.1%

top 81.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform RED HAT Openshift

Timeline

PublishedJul 30

Latest updateMay 24

Description

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 0.8 | Impact: 1.4

Affected Packages2 packages

▶NVDredhat/openshift_container_platform< 4.1.3

▶CVEListV5red_hat/openshiftfixed in 4.1.3

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-252g-gw8q-x2cc: OpenShift Container Platform before version 4↗2022-05-24

▶

CVEList

CVE-2019-10165: OpenShift Container Platform before version 4↗2019-07-30

▶

📋Vendor Advisories

Red Hat

openshift: OAuth access tokens written in plaintext to API server audit logs↗2019-06-07

▶

💬Community

Bugzilla

CVE-2019-10165 openshift: OAuth access tokens written in plaintext to API server audit logs↗2019-06-11

▶