Lucene search

GitHub Advisory DatabaseGHSA-G8XM-P2H4-V6JP

HistoryMar 24, 2023 - 9:30 p.m.

OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs

2023-03-2421:30:48

CWE-532

GitHub Advisory Database

github.com

openshift

assisted installer

vulnerability

image pull secrets

plaintext

installation logs

authenticated user

exploit

container images

registry

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

Affected configurations

Vulners

Node

openshiftassisted-installerRange<1.0.25.1

VendorProductVersionCPE
openshiftassisted-installer*cpe:2.3:a:openshift:assisted-installer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openshift	assisted-installer	*	cpe:2.3:a:openshift:assisted-installer::::::::

References

bugzilla.redhat.com/show_bug.cgi?id=1985962

github.com/advisories/GHSA-g8xm-p2h4-v6jp

github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4

github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a

nvd.nist.gov/vuln/detail/CVE-2021-3684

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

Related for GHSA-G8XM-P2H4-V6JP