Bug 1262518 (CVE-2015-5274) - CVE-2015-5274 OpenShift 2.2: API command injection vulnerability
Summary: CVE-2015-5274 OpenShift 2.2: API command injection vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5274
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1262519 1262520
Blocks: 1262521
TreeView+ depends on / blocked
 
Reported: 2015-09-12 04:34 UTC by Kurt Seifried
Modified: 2019-09-29 13:36 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A command injection flaw was found in the OpenShift Origin Management Console. A remote, authenticated user permitted to send requests to the Broker could use this flaw to execute arbitrary commands with elevated privileges on the Red Hat OpenShift server.
Clone Of:
Environment:
Last Closed: 2015-09-16 19:44:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1808 0 normal SHIPPED_LIVE Important: rubygem-openshift-origin-console security update 2015-09-16 23:06:18 UTC

Description Kurt Seifried 2015-09-12 04:34:12 UTC 
It is reported that a command injection flaw exists in OpenShift's Broker API 
which can lead to arbitrary code execution within the OpenShift Broker. This 
issue can only be exploited by authenticated OpenShift users with access to 
connect to the broker (e.g. to start cartridge and gear instances). OpenShift 
version 3 is not affected.
Comment 3 errata-xmlrpc 2015-09-16 19:06:27 UTC 
This issue has been addressed in the following products:

  RHEL 6 Version of OpenShift Enterprise 2.2

Via RHSA-2015:1808 https://rhn.redhat.com/errata/RHSA-2015-1808.html
Note You need to log in before you can comment on or make changes to this bug.