Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-15138

Опубликовано: 11 апр. 2018
Источник: redhat
CVSS3: 5
EPSS Низкий

Описание

The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.

An improper authorization flaw in the atomic-openshift component of Openshift Container Platform 3.7 and earlier allows a user with cluster-reader project viewer permissions to trigger an application build. An attacker could use this flaw to trigger a build of an application when that should be restricted.

Отчет

The OpenShift Enterprise cluster-read can access webhook tokens, [1], which would allow an attacker with cluster-reader permissions, [2], or project viewer, [3], to view confidential webhook tokens. [1] https://docs.openshift.com/container-platform/3.7/dev_guide/builds/triggering_builds.html#webhook-triggers [2] https://docs.openshift.com/container-platform/3.7/admin_guide/manage_rbac.html [3] https://docs.openshift.com/container-platform/3.7/admin_solutions/user_role_mgmt.html#adding-a-role-to-a-user

Меры по смягчению последствий

Don't use webhook tokens to trigger builds. Alternatively don't rely on project viewer, or cluster-reader permissions from preventing those users from running builds.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.2atomic-openshiftWill not fix
Red Hat OpenShift Container Platform 3.7atomic-openshiftWill not fix
Red Hat OpenShift Container Platform 3.9ansible-asb-modulesFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9ansible-kubernetes-modulesFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9ansible-service-brokerFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9apbFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9apb-base-scriptsFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9atomic-openshiftFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9atomic-openshift-dockerregistryFixedRHBA-2018:048928.03.2018
Red Hat OpenShift Container Platform 3.9atomic-openshift-web-consoleFixedRHBA-2018:048928.03.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=1566212atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project

EPSS

Процентиль: 38%
0.00165
Низкий

5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2017-15138

CVSS3: 5
nvd
больше 7 лет назад

The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.

github логотип

GHSA-qrgj-q9rw-gjrv

CVSS3: 5
github
больше 3 лет назад

The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.

EPSS

Процентиль: 38%
0.00165
Низкий

5 Medium

CVSS3