CVE-2019-10150
5.9
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Summary
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| redhat | atomic-openshift | 3.6.x - 4.0.0 | affected |
Weaknesses
- CWE-287: CWE-287
ADP Enrichment
CVE Program Container
Additional References
- https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
- https://access.redhat.com/errata/RHSA-2019:2989
- https://access.redhat.com/errata/RHSA-2019:3007
- https://access.redhat.com/errata/RHSA-2019:3143
- https://access.redhat.com/errata/RHSA-2019:3811
References
- https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
- https://access.redhat.com/errata/RHSA-2019:2989
- https://access.redhat.com/errata/RHSA-2019:3007
- https://access.redhat.com/errata/RHSA-2019:3143
- https://access.redhat.com/errata/RHSA-2019:3811
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.