CVE-2019-10150 : It was found that OpenShift Container Platform versions 3.6.x

It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.

Published 2019-06-12 14:29:03

Updated 2023-02-12 23:33:11

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2019-10150

Redhat » Openshift Container Platform
Versions from including (>=) 3.6 and up to, including, (<=) 4.1
cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-10150

EPSS FAQ

0.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-10150

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
5.9	MEDIUM	CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L	1.2	4.7	Red Hat, Inc.
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: High Availability: Low

CWE ids for CVE-2019-10150

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2019-10150

https://access.redhat.com/errata/RHSA-2019:3811

RHSA-2019:3811 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication

Build Inputs - Builds | Developer Guide | OpenShift Container Platform 3.11
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150

1713433 – (CVE-2019-10150) CVE-2019-10150 atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository
Issue Tracking;Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3007

RHSA-2019:3007 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2019:2989

RHSA-2019:2989 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2019:3143

RHSA-2019:3143 - Security Advisory - Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2019-10150

Products affected by CVE-2019-10150

Exploit prediction scoring system (EPSS) score for CVE-2019-10150

CVSS scores for CVE-2019-10150

CWE ids for CVE-2019-10150

References for CVE-2019-10150