The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP, without validation, during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image.
Find out more about CVE-2018-14620 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 4.7 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat OpenStack Platform 13.0 (Queens) | RHSA-2018:2721 | 2018-09-18 |
Red Hat OpenStack Platform 12.0 | RHSA-2018:2729 | 2018-09-20 |
Platform | Package | State |
---|---|---|
Red Hat OpenStack Platform 14 | openstack-rabbitmq-container | Not affected |
Red Hat OpenStack Platform 12.0 | openstack-containers | Affected |