CVE-2019-3884 — Authentication Bypass by Spoofing in RED HAT Atomic-openshift

CWE-290 — Authentication Bypass by Spoofing CWE-287 — Improper Authentication5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 70.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Atomic-openshift Redhat Openshift

Timeline

PublishedAug 1

Latest updateMay 24

Description

A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 4.1 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5red_hat/atomic-openshift3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 4.1

▶NVDredhat/openshift7 versions+6

🔴Vulnerability Details

GHSA

GHSA-fpgq-qv2c-6787: A vulnerability exists in the garbage collection mechanism of atomic-openshift↗2022-05-24

▶

CVEList

CVE-2019-3884: A vulnerability exists in the garbage collection mechanism of atomic-openshift↗2019-08-01

▶

📋Vendor Advisories

Red Hat

atomic-openshift: cross-namespace owner references can trigger deletions of valid children↗2019-03-29

▶

💬Community

Bugzilla

CVE-2019-3884 atomic-openshift: cross-namespace owner references can trigger deletions of valid children↗2019-03-29

▶