CVE-2018-1069

Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem.

CVSS v3 7.1 HIGH
CVSS v2.0 5.4 MEDIUM

7.1^/10

CVSS v3 : HIGH

Vector : AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.2 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 5.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/103364	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1552987	Issue Tracking Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:openshift:3.7:*:*:*:enterprise:*:*:*

History

No history.

Information

Published : 2018-03-09 14:29

Updated : 2024-02-28 16:25

NVD link : CVE-2018-1069

Mitre link : CVE-2018-1069

CVE.ORG link : CVE-2018-1069

JSON object : View

Products Affected

redhat

openshift

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-284

Improper Access Control

{"id": "CVE-2018-1069", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.4, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 5.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2018-03-09T14:29:00.217", "references": [{"url": "http://www.securityfocus.com/bid/103364", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552987", "tags": ["Issue Tracking", "Mitigation"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem."}, {"lang": "es", "value": "Red Hat OpenShift Enterprise 3.7 es vulnerable a un reemplazo del control de acceso para los sistemas de archivos de red de contenedor. Un atacante podr\u00eda reemplazar UserId y GroupId en GlusterFS y NFS para leer y escribir cualquier dato en el sistema de archivos de red."}], "lastModified": "2019-10-09T23:38:02.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:3.7:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "2D9724B7-D99B-4376-B1B5-5CE5F336D767"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}