{"containers": {"cna": {"affected": [{"product": "heketi", "vendor": "The Heketi Project", "versions": [{"status": "affected", "version": "heketi 6 as shipped with Openshift Container Platform 3.11"}]}], "descriptions": [{"lang": "en", "value": "It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-592", "description": "CWE-592", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-30T15:06:12", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899"}, {"name": "RHSA-2019:3255", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3255"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:26:26.706Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899"}, {"name": "RHSA-2019:3255", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3255"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-3899", "datePublished": "2019-04-22T15:20:07", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-08-04T19:26:26.706Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:heketi_project:heketi:-:*:*:*:*:*:*:*", "matchCriteriaId": "6BC41E3F-D4DC-468D-BC6D-4B5F7B679DE3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11."}, {"lang": "es", "value": "Se encontr\u00f3 que la configuraci\u00f3n predeterminada de Heketi no requiere ninguna autenticaci\u00f3n, y expone potencialmente la interfaz de gesti\u00f3n a un mal uso. Esta situaci\u00f3n s\u00f3lo afecta a heketi tal y como se env\u00eda con Openshift Container Platform versi\u00f3n 3.11."}], "id": "CVE-2019-3899", "lastModified": "2023-02-12T23:38:50.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-22T16:29:01.787", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3255"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-592"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Daniel Moessner (Red Hat).", "affected_release": [{"advisory": "RHSA-2019:3255", "cpe": "cpe:/a:redhat:storage:3:client:el7", "package": "heketi-0:9.0.0-7.el7rhgs", "product_name": "Native Client for RHEL 7 for Red Hat Storage", "release_date": "2019-10-30T00:00:00Z"}, {"advisory": "RHSA-2019:3255", "cpe": "cpe:/a:redhat:storage:3.5:server:el7", "package": "heketi-0:9.0.0-7.el7rhgs", "product_name": "Red Hat Gluster Storage 3.5 for RHEL 7", "release_date": "2019-10-30T00:00:00Z"}], "bugzilla": {"description": "heketi: heketi can be installed using insecure defaults", "id": "1701091", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701091"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-287", "details": ["It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.", "It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI."], "mitigation": {"lang": "en:us", "value": "After installation of Heketi\n1. configure user and admin key in /etc/heketi/heketi.json file\n...\n{\n\"_port_comment\": \"Heketi Server Port Number\",\n\"port\": \"8080\",\n\"_use_auth\": \"Enable JWT authorization. Please enable for deployment\",\n\"use_auth\": true,\n\"_jwt\": \"Private keys for access\",\n\"jwt\": {\n\"_admin\": \"Admin has access to all APIs\",\n\"admin\": {\n\"key\": \"My Secret\"\n},\n\"_user\": \"User only has access to /volumes endpoint\",\n\"user\": {\n\"key\": \"My Secret\"\n}\n},\n...\n2. restart heketi server"}, "name": "CVE-2019-3899", "public_date": "2019-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-3899\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3899"], "threat_severity": "Moderate"}