CVE-2017-12195
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
46.4%
A flaw was found in all Openshift Enterprise versions using the openshift elasticsearch plugin. An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | openshift_container_platform | 3.4 | cpe:2.3:a:redhat:openshift_container_platform:3.4:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 3.5 | cpe:2.3:a:redhat:openshift_container_platform:3.5:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 3.6 | cpe:2.3:a:redhat:openshift_container_platform:3.6:*:*:*:*:*:*:* |
| redhat | openshift_container_platform | 3.7 | cpe:2.3:a:redhat:openshift_container_platform:3.7:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
46.4%