RedhatCVELIST:CVE-2019-10150CVE-2019-10150
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
82.2%
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.
CNA Affected
[
{
"product": "atomic-openshift",
"vendor": "redhat",
"versions": [
{
"status": "affected",
"version": "3.6.x - 4.0.0"
}
]
}
]References
access.redhat.com/errata/RHSA-2019:2989
access.redhat.com/errata/RHSA-2019:3007
access.redhat.com/errata/RHSA-2019:3143
access.redhat.com/errata/RHSA-2019:3811
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
Related
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
82.2%