CVE-2020-1690

CWE-2856 documents5 sources
Severity
6.5MEDIUM
EPSS
0.0%
top 90.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Openstack-selinuxRedhat Openstack Platform
Timeline
PublishedJun 7
Latest updateMay 24

Description

An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from privilege escalation. A non-root attacker in one or more Red Hat OpenStack (RHOSP) containers could send messages to the dbus. With access to the dbus, the attacker could start or stop services, possibly causing a denial of service. Versions before openstack-selinux 0.8.24 are affected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

CVEListV5openstack-selinuxbefore openstack-selinux 0.8.24
NVDredhat/openstack_platform15.0, 16.1+1

🔴Vulnerability Details

2
GHSA
GHSA-2364-qg82-xg35: An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from priv2022-05-24
CVEList
CVE-2020-1690: An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from priv2021-06-07

📋Vendor Advisories

1
Red Hat
openstack-selinux: policy flaw allows dbus messaging2020-02-12

💬Community

2
Bugzilla
CVE-2020-1690 openstack-selinux: policy flaw allows dbus messaging [openstack-rdo]2020-02-17
Bugzilla
CVE-2020-1690 openstack-selinux: policy flaw allows dbus messaging2020-01-10
CVE-2020-1690 (MEDIUM CVSS 6.5) | An improper authorization flaw was | cvebase.io