Bug 1721264 (CVE-2019-10175)
| Summary: | CVE-2019-10175 containerized-data-importer: Exposed read access to all storage currently allocated to PVCs regardless of namespace | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alitke, cnv-qe-bugs, fdeutsch, fsimonce, jpadman, mhenriks, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the containerized-data-importer where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-27 03:29:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1723985, 1723986 | ||
| Bug Blocks: | 1721266 | ||
|
Description
Pedro Sampaio
2019-06-17 18:32:01 UTC
Acknowledgments: Name: Michael Henriksen (Red Hat), Alexander Wels (Red Hat), Adam Litke (Red Hat) |