CVE-2019-3895

CVE Database · CVE-2019-3895

CVE-2019-3895

· HIGHModified

CVSS v3.1

8.0

EPSS

1.42%

Published

Jun 3, 2019

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-284

Affected Products (2)

openstack · octavia (up to 0.9.0)vulnerable

redhat · openstackvulnerable

References (6)

https://access.redhat.com/errata/RHSA-2019:1683

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1742

Third Party Advisory