Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-1906

Опубликовано: 06 янв. 2016
Источник: redhat
CVSS2: 4.6
EPSS Низкий

Описание

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.

An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build-configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the policy is violated), if the build configuration files were later launched by other privileged services (such as automated triggers), user privileges could be bypassed allowing attacker escalation.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7kubernetesWill not fix
Red Hat OpenShift Enterprise 3.0openshiftFixedRHSA-2016:035103.03.2016
Red Hat OpenShift Enterprise 3.1atomic-openshiftFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1heapsterFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1jenkinsFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1nodejs-align-textFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1nodejs-ansi-greenFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1nodejs-ansi-wrapFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1nodejs-anymatchFixedRHSA-2016:007026.01.2016
Red Hat OpenShift Enterprise 3.1nodejs-array-uniqueFixedRHSA-2016:007026.01.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=1297916server: build config to a strategy that isn't allowed by policy

EPSS

Процентиль: 81%
0.01555
Низкий

4.6 Medium

CVSS2

Связанные уязвимости

nvd логотип

CVE-2016-1906

CVSS3: 9.8
nvd
почти 10 лет назад

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.

debian логотип

CVE-2016-1906

CVSS3: 9.8
debian
почти 10 лет назад

Openshift allows remote attackers to gain privileges by updating a bui ...

github логотип

GHSA-m3fm-h5jp-q79p

CVSS3: 9.8
github
почти 4 года назад

Authorization bypass in Openshift

fstec логотип

BDU:2016-00543

fstec
почти 10 лет назад

Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю повысить свои привилегии

EPSS

Процентиль: 81%
0.01555
Низкий

4.6 Medium

CVSS2