CVE-2019-19348 – openshift/apb-base: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2019-19348
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Se detectó una vulnerabilidad de modificación no segura en el archivo /etc/passwd en el contenedor openshift/apb-base, que afecta a las versiones anteriores a las siguientes 4.3.5, 4.2.21, 4.1.37 y 3.11.188-4. Un atacante con acceso al contenedor podría utilizar este fallo para modificar el archivo /etc/passwd y escalar sus privilegios. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19348 https://access.redhat.com/security/cve/CVE-2019-19348 https://bugzilla.redhat.com/show_bug.cgi?id=1793286 https://access.redhat.com/articles/4859371 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2020-1707 – openshift/postgresql-apb: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-1707
A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Se encontró una vulnerabilidad en todas las versiones de openshift/postgresql-apb 4.x.x anteriores a 4.3.0, donde se encontró una vulnerabilidad de modificación no segura en el archivo /etc/passwd en el contenedor openshift/postgresql-apb. Un atacante con acceso al contenedor podría usar este fallo para modificar /etc/passwd y escalar sus privilegios. An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1707 https://access.redhat.com/security/cve/CVE-2020-1707 https://bugzilla.redhat.com/show_bug.cgi?id=1793301 https://access.redhat.com/articles/4859371 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-19351 – openshift/jenkins: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2019-19351
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/jenkins-slave-base-rhel7-containera as shipped in Openshift 4 and 3.11. Se detectó una vulnerabilidad de modificación no segura en el archivo /etc/passwd en el contenedor openshift/jenkins. Un atacante con acceso al contenedor podría usar este fallo para modificar el archivo /etc/passwd y escalar sus privilegios. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19351 https://access.redhat.com/security/cve/CVE-2019-19351 https://bugzilla.redhat.com/show_bug.cgi?id=1793282 https://access.redhat.com/articles/4859371 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2020-1704 – openshift-service-mesh/kiali-rhel7-operator: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-1704
An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Se encontró una vulnerabilidad de modificación no segura en el archivo /etc/passwd en OpenShift ServiceMesh (maistra) todas las versiones anteriores a 1.0.8 en el openshift/istio-kialia-rhel7-operator-container. Un atacante con acceso al contenedor podría utilizar este fallo para modificar el archivo /etc/passwd y escalar sus privilegios. An insecure modification vulnerability in the /etc/passwd file was found in the openshift-service-mesh/kiali-rhel7-operator. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1704 https://access.redhat.com/security/cve/CVE-2020-1704 https://bugzilla.redhat.com/show_bug.cgi?id=1793305 https://access.redhat.com/articles/4859371 • CWE-266: Incorrect Privilege Assignment CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-19335 – openshift/installer: kubeconfig and kubeadmin-password are created with word-readable permissions
https://notcve.org/view.php?id=CVE-2019-19335
During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the OpenShift API server, and are incorrectly assigned word-readable permissions. ose-installer as shipped in Openshift 4.2 is vulnerable. Durante la instalación de un clúster de OpenShift versión 4, la herramienta de línea de comando "openshift-install" crea un directorio "auth", con los archivos "kubeconfig" y "kubeadmin-password". Ambos archivos contienen credenciales usadas para autenticarse en el servidor de la API OpenShift, y se les asignaron permisos world-readable inapropiadamente. ose-installer como es incluido en Openshift versión 4.2 es vulnerable. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19335 https://access.redhat.com/security/cve/CVE-2019-19335 https://bugzilla.redhat.com/show_bug.cgi?id=1777209 • CWE-732: Incorrect Permission Assignment for Critical Resource •