CVE Database


Impact: Important
Public: 2014-05-21
CWE: CWE-73->CWE-78
Bugzilla: 1096955: CVE-2014-0233 OpenShift: downloadable cartridge source url file command execution as root


The MITRE CVE dictionary describes this issue as:

Red Hat OpenShift Enterprise 2.0 and 2.1 and OpenShift Origin allow remote authenticated users to execute arbitrary commands via shell metacharacters in a directory name that is referenced by a cartridge using the file: URI scheme.

Find out more about CVE-2014-0233 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 7.2
Base Metrics: AV:L/AC:L/Au:N/C:C/I:C/A:C
Access Vector: Local
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
RHOSE Client 2.0 (rubygem-openshift-origin-node) RHSA-2014:0529 May 21, 2014
RHOSE Client 2.0 (rubygem-openshift-origin-node) RHSA-2014:0530 May 21, 2014

External References


This issue was discovered by Jeremy Choi of the Red Hat HSS Pen-test Team.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.