CVE-2019-3895 Information

Description

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and if requested to spawn new amphorae Octavia would then pick up the compromised image.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Reference

https://access.redhat.com/errata/RHSA-2019:1683 https://access.redhat.com/errata/RHSA-2019:1742 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.0