Vulnerability Details CVE-2019-17134
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.8%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 6.4
References
- https://access.redhat.com/errata/RHSA-2019:3743
- https://access.redhat.com/errata/RHSA-2019:3788
- https://access.redhat.com/errata/RHSA-2020:0721
- https://review.opendev.org/686541
- https://review.opendev.org/686543
- https://review.opendev.org/686544
- https://review.opendev.org/686545
- https://review.opendev.org/686546
- https://review.opendev.org/686547
- https://security.openstack.org/ossa/OSSA-2019-005.html
- https://storyboard.openstack.org/#%21/story/2006660
- https://usn.ubuntu.com/4153-1/
- https://access.redhat.com/errata/RHSA-2019:3743
- https://access.redhat.com/errata/RHSA-2019:3788
- https://access.redhat.com/errata/RHSA-2020:0721
- https://review.opendev.org/686541
- https://review.opendev.org/686543
- https://review.opendev.org/686544
- https://review.opendev.org/686545
- https://review.opendev.org/686546
- https://review.opendev.org/686547
- https://security.openstack.org/ossa/OSSA-2019-005.html
- https://storyboard.openstack.org/#%21/story/2006660
- https://usn.ubuntu.com/4153-1/
Products affected by CVE-2019-17134
-
cpe:2.3:a:opendev:octavia:0.10.0
-
cpe:2.3:a:opendev:octavia:1.0.0
-
cpe:2.3:a:opendev:octavia:1.0.1
-
cpe:2.3:a:opendev:octavia:1.0.2
-
cpe:2.3:a:opendev:octavia:1.0.3
-
cpe:2.3:a:opendev:octavia:1.0.4
-
cpe:2.3:a:opendev:octavia:1.0.5
-
cpe:2.3:a:opendev:octavia:2.0.0
-
cpe:2.3:a:opendev:octavia:2.0.1
-
cpe:2.3:a:opendev:octavia:2.0.2
-
cpe:2.3:a:opendev:octavia:2.0.3
-
cpe:2.3:a:opendev:octavia:2.0.4
-
cpe:2.3:a:opendev:octavia:2.1.0
-
cpe:2.3:a:opendev:octavia:2.1.1
-
cpe:2.3:a:opendev:octavia:3.0.0
-
cpe:2.3:a:opendev:octavia:3.0.1
-
cpe:2.3:a:opendev:octavia:3.0.2
-
cpe:2.3:a:opendev:octavia:3.1.0
-
cpe:2.3:a:opendev:octavia:3.1.1
-
cpe:2.3:a:opendev:octavia:4.0.0
-
cpe:2.3:a:opendev:octavia:4.0.1
-
cpe:2.3:o:canonical:ubuntu_linux:19.04