CVE-2019-10200 — Improper Access Control in Redhat Openshift Container Platform

CWE-284 — Improper Access Control5 documents5 sources

Severity

7.2HIGHNVD

EPSS

0.4%

top 39.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform

Timeline

PublishedMar 19

Latest updateMay 24

Description

A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5redhat/openshift_container_platformOpenShift Container Platform 4

Also affects: Openshift Container Platform 4.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-8283-mprv-vc6w: A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workload↗2022-05-24

▶

CVEList

CVE-2019-10200: A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workload↗2021-03-19

▶

📋Vendor Advisories

Red Hat

openshift: Users with permission to schedule pods on master nodes can access credentials for AWS IAM roles↗2019-07-12

▶

💬Community

Bugzilla

CVE-2019-10200 openshift: Users with permission to schedule pods on master nodes can access credentials for AWS IAM roles↗2019-07-16

▶