CVE-2017-15138

Impact:
Moderate
Public Date:
2018-04-11
CWE:
CWE-285
Bugzilla:
1566212: CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project
An improper authorization flaw in the atomic-openshift component of Openshift Container Platform 3.7 and earlier allows a user with cluster-reader project viewer permissions to trigger an application build. An attacker could use this flaw to trigger a build of an application when that should be restricted.

Find out more about CVE-2017-15138 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The OpenShift Enterprise cluster-read can access webhook tokens, [1], which would allow an attacker with cluster-reader permissions, [2], or project viewer, [3], to view confidential webhook tokens.

[1] https://docs.openshift.com/container-platform/3.7/dev_guide/builds/triggering_builds.html#webhook-triggers
[2] https://docs.openshift.com/container-platform/3.7/admin_guide/manage_rbac.html
[3] https://docs.openshift.com/container-platform/3.7/admin_solutions/user_role_mgmt.html#adding-a-role-to-a-user

CVSS v3 metrics

CVSS3 Base Score 5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Container Platform 3.9 (atomic-openshift) RHBA-2018:0489 2018-03-28

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 3.2 atomic-openshift Will not fix
Red Hat OpenShift Container Platform 3.7 atomic-openshift Will not fix

Acknowledgements

This issue was discovered by Jessica Forrester (Red Hat).

Mitigation

Don't use webhook tokens to trigger builds. Alternatively don't rely on project viewer, or cluster-reader permissions from preventing those users from running builds.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.