CVE-2021-3684

2023-03-2420:15:08

CWE-532

[email protected]

web.nvd.nist.gov

cve-2021-3684

openshift assisted installer

vulnerability

image pull secrets

installation logs

authenticated user

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

Affected configurations

Vulners

NVD

Node

redhatopenshift_assisted_installerRange≤1.0.25.1

redhatopenshift_assisted_installerRange≤2.0.0

VendorProductVersionCPE
redhatopenshift_assisted_installer*cpe:2.3:a:redhat:openshift_assisted_installer:*:*:*:*:*:*:*:*
redhatopenshift_assisted_installer*cpe:2.3:a:redhat:openshift_assisted_installer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	openshift_assisted_installer	*	cpe:2.3:a:redhat:openshift_assisted_installer::::::::
redhat	openshift_assisted_installer	*	cpe:2.3:a:redhat:openshift_assisted_installer::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "assisted-installer",
    "versions": [
      {
        "version": "openshift/assisted-installer 1.0.25.1, openshift/assisted-installer 2.0.0",
        "status": "affected"
      }
    ]
  }
]