CVE-2019-3895
Published: 3 June 2019
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.
Priority
Status
Package | Release | Status |
---|---|---|
octavia Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
hirsute |
Ignored
(end of life)
|
|
groovy |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
impish |
Ignored
(end of life)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(debian: Fixed before initial upload to the archive)
|
|
xenial |
Does not exist
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.0 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |