Merge pull request #2144 from RedHatProductSecurity/CVE-2019-10150

CVE-2019-10150
2025-06-08 22:18:26 +00:00 · 2019-06-12 09:42:45 -04:00 · 2019-06-12 09:42:45 -04:00 · ee0a3e5d18
commit ee0a3e5d18
parent c5bb9eb57e e1e64a41c1
1 changed files with 60 additions and 4 deletions
--- a/2019/10xxx/CVE-2019-10150.json
+++ b/2019/10xxx/CVE-2019-10150.json
@ -4,15 +4,71 @@
    "data_version": "4.0",
    "CVE_data_meta": {
        "ID": "CVE-2019-10150",
-        "ASSIGNER": "cve@mitre.org",
+        "ASSIGNER": "mrehak@redhat.com"
-        "STATE": "RESERVED"
+    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "redhat",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "atomic-openshift",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "3.6.x - 4.0.0"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-287"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "url": "https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication"
            },
            {
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150",
                "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150",
                "refsource": "CONFIRM"
            }
        ]
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output."
            }
        ]
    },
    "impact": {
        "cvss": [
            [
                {
                    "vectorString": "5.9/CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L",
                    "version": "3.0"
                }
            ]
        ]
    }
-}
+}