CVE-2021-3684 — Log File Information Exposure in Openshift Assisted-installer

CWE-532 — Log File Information Exposure5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 64.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Openshift Assisted-installer Redhat Openshift Assisted Installer Redhat Openshift Container Platform

Timeline

PublishedMar 24

Description

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/openshift_assisted_installer< 1.0.25.3

▶Gogithub.com/openshift_assisted-installer< 1.0.25.1

Also affects: Openshift Container Platform 4.6

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs↗2023-03-24

▶

CVEList

CVE-2021-3684: A vulnerability was found in OpenShift Assisted Installer↗2023-03-24

▶

OSV

OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs↗2023-03-24

▶

📋Vendor Advisories

Red Hat

assisted-installer: Image Pull Secret leaked through log files↗2022-10-19

▶