{"containers": {"cna": {"affected": [{"product": "atomic-openshift", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "as shipped with Openshift Enterprise 3.x"}]}], "datePublic": "2018-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-01-09T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2018:1235", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1235"}, {"name": "RHSA-2018:1241", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1241"}, {"name": "RHSA-2018:1233", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1233"}, {"name": "RHSA-2019:0036", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0036"}, {"name": "RHSA-2018:1237", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1237"}, {"name": "RHSA-2018:1227", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1227"}, {"name": "RHSA-2018:1243", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1243"}, {"name": "RHSA-2018:1231", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1231"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1562246"}, {"name": "RHSA-2018:1229", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1229"}, {"name": "RHSA-2018:1239", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1239"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:49.044Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:1235", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1235"}, {"name": "RHSA-2018:1241", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1241"}, {"name": "RHSA-2018:1233", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1233"}, {"name": "RHSA-2019:0036", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:0036"}, {"name": "RHSA-2018:1237", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1237"}, {"name": "RHSA-2018:1227", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1227"}, {"name": "RHSA-2018:1243", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1243"}, {"name": "RHSA-2018:1231", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1231"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1562246"}, {"name": "RHSA-2018:1229", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1229"}, {"name": "RHSA-2018:1239", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1239"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-1102", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2024-08-05T03:51:49.044Z", "state": "PUBLISHED", "datePublished": "2018-04-30T19:00:00Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "45690263-84D9-45A1-8C30-3ED2F0F11F47", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F8E35FAB-695F-44DA-945D-60B47C1F200B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F33CEF04-05FA-444C-BB14-F3E3434AF61F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.3:*:*:*:enterprise:*:*:*", "matchCriteriaId": "84C890EC-229B-458B-AEF7-EA03C6248A25", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.4:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E1056A33-690E-4120-821F-52B9705CB84B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.5:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0FB4CEB9-3106-41D7-BBAA-FA92D2698FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.6:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4B196A82-385B-492A-8927-723CB8690CCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.7:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2D9724B7-D99B-4376-B1B5-5CE5F336D767", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.8:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2C73555F-B229-4946-B27B-E0FADA31625F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.9:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A8F8362B-DA49-439F-ADA1-B5BA443F91F7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation."}, {"lang": "es", "value": "Se ha encontrado un error en la funci\u00f3n source-to-image tal y como se distribuye con Openshift Enterprise 3.x. Una validaci\u00f3n incorrecta de archivos tar en ExtractTarStreamFromTarReader en tar/tar.go conduce a un escalado de privilegios."}], "id": "CVE-2018-1102", "lastModified": "2024-11-21T03:59:11.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-30T19:29:00.217", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1227"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1229"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1231"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1233"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1235"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1237"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1239"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1241"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1243"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0036"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1562246"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1227"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1229"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1231"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1233"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1235"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1237"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1239"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1241"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1243"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0036"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1562246"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:1241", "cpe": "cpe:/a:redhat:openshift:3.2::el7", "package": "atomic-openshift-0:3.2.1.34-2.git.3.aad33c3.el7", "product_name": "Red Hat OpenShift Container Platform 3.2", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2018:1239", "cpe": "cpe:/a:redhat:openshift:3.3::el7", "package": "atomic-openshift-0:3.3.1.46.39-2.git.3.cc57f5b.el7", "product_name": "Red Hat OpenShift Container Platform 3.3", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2018:1237", "cpe": "cpe:/a:redhat:openshift:3.4::el7", "package": "atomic-openshift-0:3.4.1.44.53-1.git.0.d7eb028.el7", "product_name": "Red Hat OpenShift Container Platform 3.4", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1237", "cpe": "cpe:/a:redhat:openshift:3.4::el7", "package": "openshift-ansible-0:3.4.168-1.git.0.bb73aad.el7", "product_name": "Red Hat OpenShift Container Platform 3.4", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1237", "cpe": "cpe:/a:redhat:openshift:3.4::el7", "package": "python-ruamel-yaml-0:0.12.14-9.el7", "product_name": "Red Hat OpenShift Container Platform 3.4", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1235", "cpe": "cpe:/a:redhat:openshift:3.5::el7", "package": "atomic-openshift-0:3.5.5.31.67-1.git.0.0a8cf24.el7", "product_name": "Red Hat OpenShift Container Platform 3.5", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1235", "cpe": "cpe:/a:redhat:openshift:3.5::el7", "package": "openshift-ansible-0:3.5.165-1.git.0.475fa67.el7", "product_name": "Red Hat OpenShift Container Platform 3.5", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "atomic-openshift-0:3.6.173.0.113-1.git.0.65fb9fb.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-cool.io-0:1.5.3-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-excon-0:0.60.0-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-faraday-0:0.13.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-ffi-0:1.9.23-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-fluent-plugin-kubernetes_metadata_filter-0:1.0.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-fluent-plugin-systemd-0:0.0.9-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-minitest-0:5.10.3-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-msgpack-0:1.2.2-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-multi_json-0:1.13.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-systemd-journal-0:1.3.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-tzinfo-0:1.2.5-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-tzinfo-data-0:1.2018.3-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1233", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "rubygem-unf_ext-0:0.0.7.5-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-04-30T00:00:00Z"}, {"advisory": "RHSA-2018:1231", "cpe": "cpe:/a:redhat:openshift:3.7::el7", "package": "apb-0:1.0.6-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.7", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2018:1231", "cpe": "cpe:/a:redhat:openshift:3.7::el7", "package": "atomic-openshift-0:3.7.44-1.git.0.6b061d4.el7", "product_name": "Red Hat OpenShift Container Platform 3.7", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2018:1231", "cpe": "cpe:/a:redhat:openshift:3.7::el7", "package": "rubygem-fluent-plugin-elasticsearch-0:1.14.0-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.7", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2018:1229", "cpe": "cpe:/a:redhat:openshift:3.8::el7", "package": "atomic-openshift-0:3.8.37-1.git.0.e85a326.el7", "product_name": "Red Hat OpenShift Container Platform 3.8", "release_date": "2018-04-28T00:00:00Z"}, {"advisory": "RHSA-2018:1229", "cpe": "cpe:/a:redhat:openshift:3.8::el7", "package": "atomic-openshift-dockerregistry-0:3.8.37-1.git.224.8e15ecf.el7", "product_name": "Red Hat OpenShift Container Platform 3.8", "release_date": "2018-04-28T00:00:00Z"}, {"advisory": "RHSA-2018:1229", "cpe": "cpe:/a:redhat:openshift:3.8::el7", "package": "openshift-ansible-0:3.8.37-1.git.0.be319af.el7", "product_name": "Red Hat OpenShift Container Platform 3.8", "release_date": "2018-04-28T00:00:00Z"}, {"advisory": "RHSA-2018:1227", "cpe": "cpe:/a:redhat:openshift:3.9::el7", "package": "atomic-openshift-0:3.9.25-1.git.0.6bc473e.el7", "product_name": "Red Hat OpenShift Container Platform 3.9", "release_date": "2018-04-28T00:00:00Z"}, {"advisory": "RHSA-2018:1243", "cpe": "cpe:/a:redhat:openshift:3.1::el7", "package": "atomic-openshift-0:3.1.1.11-4.git.3.12809c8.el7", "product_name": "Red Hat OpenShift Enterprise 3.1", "release_date": "2018-04-29T00:00:00Z"}, {"advisory": "RHSA-2019:0036", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "important", "package": "source-to-image-0:1.1.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-01-08T00:00:00Z"}, {"advisory": "RHSA-2019:0036", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "important", "package": "source-to-image-0:1.1.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-01-08T00:00:00Z"}, {"advisory": "RHSA-2019:0036", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "important", "package": "source-to-image-0:1.1.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-01-08T00:00:00Z"}, {"advisory": "RHSA-2019:0036", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "important", "package": "source-to-image-0:1.1.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-01-08T00:00:00Z"}], "bugzilla": {"description": "source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go", "id": "1562246", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1562246"}, "csaw": true, "cvss3": {"cvss3_base_score": "9.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation.", "A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation."], "mitigation": {"lang": "en:us", "value": "Customers can turn off the source-to-image (S2I) build strategy to prevent access to the exploitable function. Information about how to disable the source-to-image build strategy is in the product documentation.\n* Disabling S2I in OpenShift Enterprise 3.0 - https://docs.openshift.com/enterprise/3.0/admin_guide/securing_builds.html#disabling-a-build-strategy-globally\n* Disabling S2I in OpenShift Enterprise 3.1 - https://docs.openshift.com/enterprise/3.1/admin_guide/securing_builds.html#disabling-a-build-strategy-globally\n* Disabling S2I in OpenShift Enterprise 3.2 - https://docs.openshift.com/enterprise/3.2/admin_guide/securing_builds.html#disabling-a-build-strategy-globally\n* Disabling S2I in OpenShift Enterprise 3.3 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.3/html/cluster_administration/admin-guide-securing-builds\n* Disabling S2I in OpenShift Enterprise 3.4 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-securing-builds\n* Disabling S2I in OpenShift Enterprise 3.5 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.5/html/cluster_administration/admin-guide-securing-builds\n* Disabling S2I in OpenShift Enterprise 3.6 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html/cluster_administration/admin-guide-securing-builds\n* Disabling S2I in OpenShift Enterprise 3.7 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.7/html/cluster_administration/admin-guide-securing-builds\n* OpenShift Enterprise 3.8 is not a production version (only for upgrades).\n* Disabling S2I in OpenShift Enterprise 3.9 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html/cluster_administration/admin-guide-securing-builds"}, "name": "CVE-2018-1102", "public_date": "2018-04-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1102\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1102\nhttps://access.redhat.com/security/vulnerabilities/3422241"], "statement": "Package source-to-image as shipped in Red Hat Software Collections has been rated as Important, because it allows an attacker to get access to the victim's machine, but it requires user interaction.", "threat_severity": "Critical"}