Bug 1721264 (CVE-2019-10175) - CVE-2019-10175 containerized-data-importer: Exposed read access to all storage currently allocated to PVCs regardless of namespace
Summary: CVE-2019-10175 containerized-data-importer: Exposed read access to all storag...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10175
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1723985 1723986
Blocks: 1721266
TreeView+ depends on / blocked
 
Reported: 2019-06-17 18:32 UTC by Pedro Sampaio
Modified: 2021-10-27 03:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the containerized-data-importer where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data.
Clone Of:
Environment:
Last Closed: 2021-10-27 03:29:36 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-06-17 18:32:01 UTC
A flaw was found in the containerized-data-importer. The host-assisted cloning feature don't limit which namespaces can be involved in a clone
operation, permitting users to clone any PVC in the cluster into their own namespace. This effectively allows user read access to all storage currently allocated to PVCs regardless of namespace.

Comment 1 Pedro Sampaio 2019-06-17 21:12:06 UTC
Acknowledgments:

Name: Michael Henriksen (Red Hat), Alexander Wels (Red Hat), Adam Litke (Red Hat)


Note You need to log in before you can comment on or make changes to this bug.