Vulnerability Details : CVE-2019-3899
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.
Exploit prediction scoring system (EPSS) score for CVE-2019-3899
Probability of exploitation activity in the next 30 days: 0.24%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-3899
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
7.3
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
Red Hat, Inc. |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-3899
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Secondary)
-
Assigned by: secalert@redhat.com (Primary)
References for CVE-2019-3899
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899
1701091 – (CVE-2019-3899) CVE-2019-3899 heketi: heketi can be installed using insecure defaultsIssue Tracking;Mitigation;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3255
RHSA-2019:3255 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Products affected by CVE-2019-3899
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:heketi_project:heketi:-:*:*:*:*:*:*:*