Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-1706

Опубликовано: 21 янв. 2020
Источник: redhat
CVSS3: 7
EPSS Низкий

Описание

It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container.

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/apb-tools. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Отчет

By default this vulnerability is not exploitable in un-privilieged containers running on OpenShift Container Platform. This is because the system call SETUID and SETGID is blocked by the default seccomp policy.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11openshift3/apb-toolsWill not fix
Red Hat OpenShift Container Platform 4.2openshift4/apb-toolsFixedRHSA-2020:230503.06.2020
Red Hat OpenShift Container Platform 4.3openshift4/apb-toolsFixedRHSA-2020:244217.06.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-732
https://bugzilla.redhat.com/show_bug.cgi?id=1793302openshift/apb-tools: /etc/passwd is given incorrect privileges

EPSS

Процентиль: 27%
0.00094
Низкий

7 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-1706

CVSS3: 7
nvd
почти 6 лет назад

It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container.

github логотип

GHSA-j28m-qhxw-4r5g

CVSS3: 7
github
больше 3 лет назад

It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container.

EPSS

Процентиль: 27%
0.00094
Низкий

7 High

CVSS3