CVE-2019-10150

EUVD-2019-2188
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
redhatCNA
5.9 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
redhatopenshift_container_platform
3.6 ≤
𝑥
≤ 4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:2989
https://access.redhat.com/errata/RHSA-2019:3007
https://access.redhat.com/errata/RHSA-2019:3143
https://access.redhat.com/errata/RHSA-2019:3811
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
https://access.redhat.com/errata/RHSA-2019:2989
https://access.redhat.com/errata/RHSA-2019:3007
https://access.redhat.com/errata/RHSA-2019:3143
https://access.redhat.com/errata/RHSA-2019:3811
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication