Vulnerabilities > CVE-2019-3895

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Vulnerable Configurations

Part Description Count
Application
Openstack
2
Application
Redhat
1

Redhat

advisories
  • rhsa
    idRHSA-2019:1683
  • rhsa
    idRHSA-2019:1742
rpms
  • openstack-tripleo-common-0:9.5.0-5.el7ost
  • openstack-tripleo-common-container-base-0:9.5.0-5.el7ost
  • openstack-tripleo-common-containers-0:9.5.0-5.el7ost
  • openstack-tripleo-common-devtools-0:9.5.0-5.el7ost
  • python2-tripleo-common-0:9.5.0-5.el7ost
  • openstack-tripleo-common-0:8.6.8-11.el7ost
  • openstack-tripleo-common-container-base-0:8.6.8-11.el7ost
  • openstack-tripleo-common-containers-0:8.6.8-11.el7ost
  • openstack-tripleo-common-devtools-0:8.6.8-11.el7ost