Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-3895

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Published

2019-06-03T19:29:02.080

Last Modified

2024-11-21T04:42:49.020

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.0 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openstack	octavia	< 0.9.0	Yes
Application	redhat	openstack	12	Yes

References

https://access.redhat.com/errata/RHSA-2019:1683 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:1742 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895 Issue Tracking, Mitigation, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:1683 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:1742 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895 Issue Tracking, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)