CVE-2019-19335 — Incorrect Permission Assignment in RED HAT Openshift Installer

CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 73.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Openshift Installer Redhat Openshift

Timeline

PublishedMar 18

Latest updateMay 24

Description

During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the OpenShift API server, and are incorrectly assigned word-readable permissions. ose-installer as shipped in Openshift 4.2 is vulnerable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5red_hat/openshift_installerose-installer as shipped in Openshift 4.2

▶NVDredhat/openshift4.0, 4.2+1

🔴Vulnerability Details

GHSA

GHSA-w7jf-m36x-7vjp: During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin↗2022-05-24

▶

CVEList

CVE-2019-19335: During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin↗2020-03-18

▶

📋Vendor Advisories

Red Hat

openshift/installer: kubeconfig and kubeadmin-password are created with word-readable permissions↗2019-11-27

▶

💬Community

Bugzilla

CVE-2019-19335 openshift/installer: kubeconfig and kubeadmin-password are created with word-readable permissions↗2019-11-27

▶