CVE-2019-10165

Description

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.

CVSS breakdown

CVSS 3.0

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Red Hat / openshiftfixed in 4.1.3 – fixed in 4.1.3

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165
PATCHhttps://github.com/openshift/cluster-kube-apiserver-operator/pull/499/
PATCHhttps://github.com/openshift/cluster-openshift-apiserver-operator/pull/205