Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatcveRedhat.comRH:CVE-2019-3899
HistoryApr 18, 2019 - 4:50 p.m.

CVE-2019-3899

2019-04-1816:50:58
redhat.com
access.redhat.com
12

0.002 Low

EPSS

Percentile

61.9%

JSON

It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI.

Mitigation

After installation of Heketi

1. configure user and admin key in /etc/heketi/heketi.json file

{
"_port_comment": "Heketi Server Port Number",
"port": "8080",

"_use_auth": "Enable JWT authorization. Please enable for deployment",
"use_auth": true,

"_jwt": "Private keys for access",
"jwt": {
"_admin": "Admin has access to all APIs",
"admin": {
"key": "My Secret"
},
"_user": "User only has access to /volumes endpoint",
"user": {
"key": "My Secret"
}
},

2. restart heketi server

Related

nessus 1
nvd 1
prion 1
cvelist 1
veracode 1
redhat 1
osv 1
cve 1
nessus
nessus
RHEL 7 : heketi (RHSA-2019:3255)
2019-10-31 00:00:00
nvd
nvd
CVE-2019-3899
2019-04-22 16:29:01
prion
prion
Default configuration
2019-04-22 16:29:00
cvelist
cvelist
CVE-2019-3899
2019-04-22 15:20:07
veracode
veracode
Management Interface Exposed
2019-04-23 06:15:39
redhat
redhat
(RHSA-2019:3255) Moderate: heketi security, bug fix, and enhancement update
2019-10-30 12:23:27
osv
osv
CVE-2019-3899
2019-04-22 16:29:01
cve
cve
CVE-2019-3899
2019-04-22 16:29:01

0.002 Low

EPSS

Percentile

61.9%

JSON
Related for RH:CVE-2019-3899
nessus1nvd1prion1cvelist1veracode1redhat1osv1cve1