CVE-2019-10225 — Insufficiently Protected Credentials in RED HAT Atomic-openshift

CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 64.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Atomic-openshift Redhat Openshift Redhat Openshift Container Platform

Timeline

PublishedMar 19

Latest updateMay 24

Description

A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶CVEListV5red_hat/atomic-openshiftatomic-openshift of openshift-4.2

▶NVDredhat/openshift4.2

Also affects: Openshift Container Platform 3.11, 4.0

🔴Vulnerability Details

GHSA

GHSA-rg9w-3hxj-q4r8: A flaw was found in atomic-openshift of openshift-4↗2022-05-24

▶

CVEList

CVE-2019-10225: A flaw was found in atomic-openshift of openshift-4↗2021-03-19

▶

📋Vendor Advisories

Red Hat

atomic-openshift: The basic-user RBAC role allow leaking of GlusterFS StorageClass restuserkey value↗2019-08-19

▶

💬Community

Bugzilla

CVE-2019-10225 atomic-openshift: The basic-user RBAC role allow leaking of GlusterFS StorageClass restuserkey value↗2019-08-19

▶