CVE-2019-10138

Impact:
Moderate
Public Date:
2019-01-17
CWE:
CWE-284
Bugzilla:
1670573: CVE-2019-10138 python-novajoin: novajoin API lacks access control
A flaw was discovered in the python-novajoin plugin for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.

Find out more about CVE-2019-10138 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenStack Platform 13.0 (Queens) (python-novajoin) RHSA-2019:1728 2019-07-10
Red Hat OpenStack Platform 14.0 (Rocky) (python-novajoin) RHBA-2019:0944 2019-04-30

Acknowledgements

This issue was discovered by Grzegorz Grasza (Red Hat).

External References

Last Modified