{"containers": {"cna": {"affected": [{"product": "atomic-openshift", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "atomic-openshift-3.7"}]}], "datePublic": "2018-09-06T00:00:00", "descriptions": [{"lang": "en", "value": "An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-12-11T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14632"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e"}, {"name": "RHBA-2018:2652", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2018:2652"}, {"name": "RHSA-2018:2654", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2654"}, {"name": "RHSA-2018:2908", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2908"}, {"name": "RHSA-2018:2906", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2906"}, {"name": "RHSA-2018:2709", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2709"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-14632", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "atomic-openshift", "version": {"version_data": [{"version_value": "atomic-openshift-3.7"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management."}]}, "impact": {"cvss": [[{"vectorString": "7.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-787"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14632", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14632"}, {"name": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e", "refsource": "CONFIRM", "url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e"}, {"name": "RHBA-2018:2652", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2018:2652"}, {"name": "RHSA-2018:2654", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2654"}, {"name": "RHSA-2018:2908", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2908"}, {"name": "RHSA-2018:2906", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2906"}, {"name": "RHSA-2018:2709", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2709"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:38:13.091Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14632"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e"}, {"name": "RHBA-2018:2652", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2018:2652"}, {"name": "RHSA-2018:2654", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2654"}, {"name": "RHSA-2018:2908", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2908"}, {"name": "RHSA-2018:2906", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2906"}, {"name": "RHSA-2018:2709", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2709"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-14632", "datePublished": "2018-09-06T13:00:00", "dateReserved": "2018-07-27T00:00:00", "dateUpdated": "2024-08-05T09:38:13.091Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B5E2DD9-2F3F-45CB-BFED-BC50DB915FA2", "versionEndIncluding": "3.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*", "matchCriteriaId": "309CB6F8-F178-454C-BE97-787F78647C28", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*", "matchCriteriaId": "4DBCD38F-BBE8-488C-A8C3-5782F191D915", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:starcounter-jack:json-patch:-:*:*:*:*:*:*:*", "matchCriteriaId": "8627819A-DD2C-49CE-BA40-CA5FCFD9C2AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management."}, {"lang": "es", "value": "Puede ocurrir una escritura fuera de l\u00edmites al parchear un objeto Openshift mediante la funcionalidad \"oc patch\" en OpenShift Container Platform, en versiones anteriores a la 3.7. Un atacante puede emplear este error para provocar un ataque de denegaci\u00f3n de servicio (DoS) en el servicio de la API maestra de Openshift que gestiona los cl\u00fasteres."}], "id": "CVE-2018-14632", "lastModified": "2023-02-07T22:18:46.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-06T14:29:00.587", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHBA-2018:2652"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2654"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2709"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2906"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2908"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14632"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Lars Haugan for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:2709", "cpe": "cpe:/a:redhat:openshift:3.10::el7", "package": "atomic-openshift-0:3.10.66-1.git.0.91d1e89.el7", "product_name": "Red Hat OpenShift Container Platform 3.10", "release_date": "2018-11-11T00:00:00Z"}, {"advisory": "RHBA-2018:2652", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-0:3.11.16-1.git.0.b48b8f8.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2018-10-11T00:00:00Z"}, {"advisory": "RHSA-2018:2654", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "atomic-openshift-0:3.6.173.0.130-1.git.0.8d78a39.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2018-09-26T00:00:00Z"}, {"advisory": "RHSA-2018:2906", "cpe": "cpe:/a:redhat:openshift:3.7::el7", "package": "atomic-openshift-0:3.7.72-1.git.0.925b9cd.el7", "product_name": "Red Hat OpenShift Container Platform 3.7", "release_date": "2018-11-21T00:00:00Z"}, {"advisory": "RHSA-2018:2908", "cpe": "cpe:/a:redhat:openshift:3.9::el7", "package": "atomic-openshift-0:3.9.51-1.git.0.dc3a40b.el7", "product_name": "Red Hat OpenShift Container Platform 3.9", "release_date": "2018-11-20T00:00:00Z"}], "bugzilla": {"description": "atomic-openshift: oc patch with json causes masterapi service crash", "id": "1625885", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1625885"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management.", "An out of bounds write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform 3.x. An attacker can use this flaw to cause a denial of service attack on the Openshift master API service which provides cluster management."], "name": "CVE-2018-14632", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.2", "fix_state": "Affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.2"}, {"cpe": "cpe:/a:redhat:openshift:3.3", "fix_state": "Affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.3"}, {"cpe": "cpe:/a:redhat:openshift:3.4", "fix_state": "Affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.4"}, {"cpe": "cpe:/a:redhat:openshift:3.5", "fix_state": "Affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.5"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:3.0", "fix_state": "Affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Enterprise 3.0"}], "public_date": "2018-09-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-14632\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14632"], "statement": "A multi-master Openshift Container Platform cluster is more resilient, however a sustained attack would still have an important impact.", "threat_severity": "Important", "upstream_fix": "atomic-openshift 3.11"}