Impact: Moderate Public Date: 2019-09-09 CWE: CWE-522 Bugzilla: 1732508: CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
Find out more about CVE-2019-10214 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat Enterprise Linux 8:
This vulnerability is currently targeted to be addressed in an upcoming release.
Red Hat OpenShift Container Platform 3.10:
This vulnerability is currently targeted to be addressed in an upcoming release.
Red Hat OpenShift Container Platform 3.11:
This vulnerability is currently targeted to be addressed in an upcoming release.
Red Hat OpenShift Container Platform 3.9:
This vulnerability is currently targeted to be addressed in an upcoming release.
Red Hat OpenShift Container Platform 4.1:
This vulnerability is currently targeted to be addressed in an upcoming release.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 6.4 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
Attack Vector | Adjacent Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat OpenShift Container Platform 4.1 | cri-o | Affected |
Red Hat OpenShift Container Platform 3.9 | cri-o | Affected |
Red Hat OpenShift Container Platform 3.11 | cri-o | Affected |
Red Hat OpenShift Container Platform 3.10 | cri-o | Affected |
Red Hat Enterprise Linux 8 | container-tools:1.0/buildah | Affected |
Red Hat Enterprise Linux 8 | container-tools:1.0/podman | Affected |
Red Hat Enterprise Linux 8 | container-tools:1.0/skopeo | Affected |
Red Hat Enterprise Linux 8 | container-tools:rhel8/skopeo | Affected |
Red Hat Enterprise Linux 8 | container-tools:rhel8/podman | Affected |
Red Hat Enterprise Linux 8 | container-tools:rhel8/buildah | Affected |