Vulnerability Details : CVE-2019-10200
A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2019-10200
Probability of exploitation activity in the next 30 days: 0.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-10200
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2019-10200
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: secalert@redhat.com (Primary)
References for CVE-2019-10200
-
https://bugzilla.redhat.com/show_bug.cgi?id=1730161
1730161 – (CVE-2019-10200) CVE-2019-10200 openshift: Users with permission to schedule pods on master nodes can access credentials for AWS IAM rolesIssue Tracking;Mitigation;Patch;Third Party Advisory
-
https://github.com/openshift/cluster-kube-apiserver-operator/pull/524
Bug 1729242: OCP 4 AWS privilege escalation vulnerability by running pods on masters by ravisantoshgudimetla · Pull Request #524 · openshift/cluster-kube-apiserver-operator · GitHubPatch;Third Party Advisory
Products affected by CVE-2019-10200
- cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*