redhat openshift_container_platform 访问控制不恰当

CVE编号

CVE-2019-10200

利用情况

暂无

补丁情况

N/A

披露时间

2021-03-20
漏洞描述
A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 redhat openshift_container_platform 4.0 -
运行在以下环境
系统 debian_10 yard * Up to
(excluding)
0.6.1-2+deb10u1
运行在以下环境
系统 debian_9 yard * Up to
(excluding)
0.9.7-1
运行在以下环境
系统 fedora_32 yard * Up to
(excluding)
0.6.3-2.fc32
运行在以下环境
系统 ubuntu_16.04.7_lts docker.io * Up to
(excluding)
18.09.7-0ubuntu1~16.04.5
运行在以下环境
系统 ubuntu_18.04.5_lts docker.io * Up to
(excluding)
18.09.7-0ubuntu1~18.04.4
CVSS3评分
7.2
  • 攻击路径
    网络
  • 攻击复杂度
  • 权限要求
  • 影响范围
    未更改
  • 用户交互
  • 可用性
  • 保密性
  • 完整性
CWE-ID 漏洞类型
CWE-284 访问控制不恰当
阿里云安全产品覆盖情况