{"containers": {"cna": {"affected": [{"product": "atomic-openshift", "vendor": "RedHat", "versions": [{"status": "affected", "version": "all versions fixed"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-16T17:06:10", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10176"}, {"name": "RHSA-2019:2792", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2792"}, {"name": "RHSA-2019:4053", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:4053"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:09.971Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10176"}, {"name": "RHSA-2019:2792", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2792"}, {"name": "RHSA-2019:4053", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:4053"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10176", "datePublished": "2019-08-02T13:51:09", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:10:09.971Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack."}, {"lang": "es", "value": "Se detect\u00f3 un fallo en OpenShift Container Platform, versiones 3.11 y posteriores, en la que se encontr\u00f3 que los tokens CSRF usados en el componente cluster console permanec\u00edan est\u00e1ticos durante la sesi\u00f3n de un usuario. Un atacante con la capacidad de observar el valor de este token podr\u00eda ser capaz de reutilizar el token para realizar un ataque de tipo CSRF."}], "id": "CVE-2019-10176", "lastModified": "2024-11-21T04:18:35.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-02T15:15:11.803", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:2792"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:4053"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10176"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:2792"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:4053"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10176"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Jeremy Choi (Red Hat).", "affected_release": [{"advisory": "RHSA-2019:4053", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-console:v3.11.157-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-12-16T00:00:00Z"}, {"advisory": "RHSA-2019:2792", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "openshift4/ose-console:v4.1.16-201909100604", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-09-17T00:00:00Z"}, {"advisory": "RHBA-2019:2922", "cpe": "cpe:/a:redhat:openshift:4.2::el7", "package": "openshift4/ose-console:v4.2.0-201910101614", "product_name": "Red Hat OpenShift Container Platform 4.2", "release_date": "2019-10-16T00:00:00Z"}], "bugzilla": {"description": "atomic-openshift: CSRF tokens not refreshing while user is logged in and are exposed in the URL", "id": "1712569", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712569"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-352", "details": ["A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.", "A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack."], "name": "CVE-2019-10176", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.9"}], "public_date": "2019-07-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10176\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10176"], "statement": "OpenShift Container Platform versions prior to 3.11 do not contain the affected \"cluster console\" component and are not vulnerable to this flaw.", "threat_severity": "Moderate"}