Vulnerabilities > CVE-2019-3895

047910
CVSS 8.0 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openstack
redhat
NVD
Published: 2019-06-03
Updated: 2021-08-04

Summary

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Vulnerable Configurations

Part Description Count
Application
Openstack
2
Application
Redhat
1

Redhat

advisories
  • rhsa
    idRHSA-2019:1683
  • rhsa
    idRHSA-2019:1742
rpms
  • openstack-tripleo-common-0:9.5.0-5.el7ost
  • openstack-tripleo-common-container-base-0:9.5.0-5.el7ost
  • openstack-tripleo-common-containers-0:9.5.0-5.el7ost
  • openstack-tripleo-common-devtools-0:9.5.0-5.el7ost
  • python2-tripleo-common-0:9.5.0-5.el7ost
  • openstack-tripleo-common-0:8.6.8-11.el7ost
  • openstack-tripleo-common-container-base-0:8.6.8-11.el7ost
  • openstack-tripleo-common-containers-0:8.6.8-11.el7ost
  • openstack-tripleo-common-devtools-0:8.6.8-11.el7ost

References