CVE-2019-3899
CVSS V2 High 7.5
CVSS V3 Critical 9.8
Description
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.
Overview
- CVE ID
- CVE-2019-3899
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2019-04-22T16:29:01
- Last Modified Date
- 2023-02-12T23:38:50
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:heketi_project:heketi:-:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 7.5
- Severity
- HIGH
- Exploitability Score
- 10
- Impact Score
- 6.4
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.8
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2019:3255 | Third Party Advisory |
| https://access.redhat.com/security/cve/CVE-2019-3899 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1701091 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899 | Issue Tracking Mitigation Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2019-3899 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3899 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 17:07:53 | Added to TrackCVE | |||
| 2022-12-03 19:50:30 | 2019-04-22T16:29Z | 2019-04-22T16:29:01 | CVE Published Date | updated |
| 2022-12-03 19:50:30 | 2020-10-15T19:38:54 | CVE Modified Date | updated | |
| 2022-12-03 19:50:30 | Analyzed | Vulnerability Status | updated | |
| 2023-02-02 22:09:27 | 2023-02-02T21:19:14 | CVE Modified Date | updated | |
| 2023-02-02 22:09:27 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-02 22:09:28 | It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. | It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI. | Description | updated |
| 2023-02-02 22:09:29 | References | updated | ||
| 2023-02-13 00:09:02 | 2023-02-12T23:38:50 | CVE Modified Date | updated | |
| 2023-02-13 00:09:02 | Weakness Enumeration | update | ||
| 2023-02-13 00:09:02 | It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI. | It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. | Description | updated |