Vulnerability Details : CVE-2018-15869
An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
Products affected by CVE-2018-15869
- cpe:2.3:a:hashicorp:packer:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-15869
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15869
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2018-15869
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-15869
-
https://github.com/hashicorp/packer/issues/6584
Make "owners" field of source_ami_filter required: RFC · Issue #6584 · hashicorp/packer · GitHubThird Party Advisory
-
http://www.securityfocus.com/bid/105172
Amazon AWS Command Line Interface CVE-2018-15869 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to