Vulnerability Details : CVE-2019-10150
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.
Vulnerability category: BypassGain privilege
Products affected by CVE-2019-10150
- Redhat » Openshift Container PlatformVersions from including (>=) 3.6 and up to, including, (<=) 4.1cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10150
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10150
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L |
1.2
|
4.7
|
Red Hat, Inc. |
CWE ids for CVE-2019-10150
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2019-10150
-
https://access.redhat.com/errata/RHSA-2019:3811
RHSA-2019:3811 - Security Advisory - Red Hat Customer Portal
-
https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
Build Inputs - Builds | Developer Guide | OpenShift Container Platform 3.11Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
1713433 – (CVE-2019-10150) CVE-2019-10150 atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repositoryIssue Tracking;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:3007
RHSA-2019:3007 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:2989
RHSA-2019:2989 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:3143
RHSA-2019:3143 - Security Advisory - Red Hat Customer Portal
Jump to