CVE-2019-10214
MEDIUM EPSS 72.8%
Published Nov 25, 20196y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Nov 25, 2019 6y ago
Last Modified Jun 17, 2026 2w ago
Description
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
72.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-522
Affected Products 6
| Vendor | Product | Version | Range |
|---|---|---|---|
| buildah_project | buildah | * | any |
| libpod_project | libpod | * | any |
| redhat | openshift_container_platform | 4.1 | any |
| skopeo_project | skopeo | * | any |
| redhat | enterprise_linux | 8.0 | any |
| opensuse | leap | 15.1 | any |
References 3
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00035.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
Remediation
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214