CVE-2016-1906
An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build-configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the policy is violated), if the build configuration files were later launched by other privileged services (such as automated triggers), user privileges could be bypassed allowing attacker escalation.
Find out more about CVE-2016-1906 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4.6 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:S/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | Single |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenShift Enterprise 3.1 | RHSA-2016:0070 | 2016-01-26 |
| Red Hat OpenShift Enterprise 3.0 (openshift) | RHSA-2016:0351 | 2016-03-03 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | kubernetes | Will not fix |