CVE-2019-10138 - Vulnerability Details

Vendors	Products
Python	Novajoin
Redhat	Openstack

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 13.0 (Queens)
python-novajoin-0:1.1.1-3.el7ost	cpe:/a:redhat:openstack:13::el7	RHSA-2019:1728	2019-07-10T00:00:00Z
Red Hat OpenStack Platform 14.0 (Rocky)
ansible-role-container-registry-0:1.0.1-0.20190218212245.d6a749a.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
ansible-role-redhat-subscription-0:1.0.2-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
ansible-role-tripleo-modify-image-0:1.0.1-0.20190226052419.9014df9.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
ansible-tripleo-ipsec-0:9.1.0-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-barbican-0:7.0.1-0.20190204192112.ed17b57.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-designate-1:7.0.1-0.20190314164436.7f4c878.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-heat-ui-0:1.4.1-0.20190130023741.0b301df.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-kuryr-kubernetes-0:0.5.4-0.20190220170509.17d2635.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-manila-1:7.1.0-2.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-manila-ui-0:2.16.1-0.20190204170113.4865df2.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-octavia-ui-0:2.0.1-0.20190110112807.85e4a3e.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-selinux-0:0.8.18-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-tempest-1:19.0.0-3.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openstack-zaqar-1:7.0.1-0.20181026065336.fed6d77.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
openvswitch2.10-0:2.10.0-28.el7fdp.2	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-glance-store-0:0.26.2-0.20181026221750.d001c3c.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-hardware-0:0.18.1-0.20190301121902.b417976.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-novajoin-0:1.1.1-2.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-octaviaclient-0:1.6.0-0.20180816134808.64d007f.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-os-faults-0:0.2.1-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-oslo-cache-0:1.30.3-0.20190204170706.5f42092.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-ovsdbapp-0:0.12.3-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-telemetry-tests-tempest-0:0.2.0-0.20190222195250.7f0e315.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-vmware-nsxlib-0:13.0.1-0.20190220070404.24a7ff4.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
python-wsme-0:0.9.4-0.20190314161310.1d73d6e.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
qpid-proton-0:0.26.0-3.el7	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
rhosp-release-0:14.0.2-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z
skydive-0:0.20.3-1.el7ost	cpe:/a:redhat:openstack:14::el7	RHBA-2019:0944	2019-04-30T00:00:00Z

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138
https://nvd.nist.gov/vuln/detail/CVE-2019-10138
https://review.opendev.org/#/c/631240/
https://www.cve.org/CVERecord?id=CVE-2019-10138

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "python-novajoin", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "all up to, excluding 1.1.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-30T16:16:51", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138"}, {"tags": ["x_refsource_MISC"], "url": "https://review.opendev.org/#/c/631240/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10138", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "python-novajoin", "version": {"version_data": [{"version_value": "all up to, excluding 1.1.1"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens."}]}, "impact": {"cvss": [[{"vectorString": "7.1/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138"}, {"name": "https://review.opendev.org/#/c/631240/", "refsource": "MISC", "url": "https://review.opendev.org/#/c/631240/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:10.017Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://review.opendev.org/#/c/631240/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10138", "datePublished": "2019-07-30T16:16:51", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:10:10.017Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : python-novajoin (string)

vendor : Red Hat (string)

versions : [ »

0 : { »

status : affected (string)

version : all up to, excluding 1.1.1 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. (string)

}

]

metrics : [ »

0 : { »

cvssV3_0 : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-284 (string)

description : CWE-284 (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2019-07-30T16:16:51 (string)

orgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

shortName : redhat (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://review.opendev.org/#/c/631240/ (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : secalert@redhat.com (string)

ID : CVE-2019-10138 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : python-novajoin (string)

version : { »

version_data : [ »

0 : { »

version_value : all up to, excluding 1.1.1 (string)

}

]

}

]

}

vendor_name : Red Hat (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. (string)

}

]

}

impact : { »

cvss : [ »

0 : [ »

0 : { »

vectorString : 7.1/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-284 (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

refsource : CONFIRM (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

}

1 : { »

name : https://review.opendev.org/#/c/631240/ (string)

refsource : MISC (string)

url : https://review.opendev.org/#/c/631240/ (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T22:10:10.017Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://review.opendev.org/#/c/631240/ (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

assignerShortName : redhat (string)

cveId : CVE-2019-10138 (string)

datePublished : 2019-07-30T16:16:51 (string)

dateReserved : 2019-03-27T00:00:00 (string)

dateUpdated : 2024-08-04T22:10:10.017Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:novajoin:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8939297-2BAD-43BF-BA1A-871D8A407A5C", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens."}, {"lang": "es", "value": "Se detect\u00f3 un fallo en el plugin python-novajoin, todas las versiones hasta 1.1.1, excluy\u00e9ndola, para Red Hat OpenStack Platform. La API de novajoin carec\u00eda de un control de acceso suficiente, permitiendo a cualquier usuario autenticado pulsaciones de teclas para generar tokens FreeIPA."}], "id": "CVE-2019-10138", "lastModified": "2024-11-21T04:18:29.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-30T17:15:12.390", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://review.opendev.org/#/c/631240/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://review.opendev.org/#/c/631240/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:python:novajoin:*:*:*:*:*:*:*:* (string)

matchCriteriaId : D8939297-2BAD-43BF-BA1A-871D8A407A5C (string)

versionEndExcluding : 1.1.1 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. (string)

}

1 : { »

lang : es (string)

value : Se detectó un fallo en el plugin python-novajoin, todas las versiones hasta 1.1.1, excluyéndola, para Red Hat OpenStack Platform. La API de novajoin carecía de un control de acceso suficiente, permitiendo a cualquier usuario autenticado pulsaciones de teclas para generar tokens FreeIPA. (string)

}

]

id : CVE-2019-10138 (string)

lastModified : 2024-11-21T04:18:29.793 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

exploitabilityScore : 1.2 (number)

impactScore : 5.9 (number)

source : secalert@redhat.com (string)

type : Secondary (string)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 8.8 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-07-30T17:15:12.390 (string)

references : [ »

0 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

}

1 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://review.opendev.org/#/c/631240/ (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://review.opendev.org/#/c/631240/ (string)

}

]

sourceIdentifier : secalert@redhat.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-284 (string)

}

]

source : secalert@redhat.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-Other (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"acknowledgement": "This issue was discovered by Grzegorz Grasza (Red Hat).", "affected_release": [{"advisory": "RHSA-2019:1728", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-novajoin-0:1.1.1-3.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-07-10T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "ansible-role-container-registry-0:1.0.1-0.20190218212245.d6a749a.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "ansible-role-redhat-subscription-0:1.0.2-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "ansible-role-tripleo-modify-image-0:1.0.1-0.20190226052419.9014df9.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "ansible-tripleo-ipsec-0:9.1.0-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-barbican-0:7.0.1-0.20190204192112.ed17b57.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-designate-1:7.0.1-0.20190314164436.7f4c878.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-heat-ui-0:1.4.1-0.20190130023741.0b301df.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-kuryr-kubernetes-0:0.5.4-0.20190220170509.17d2635.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-manila-1:7.1.0-2.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-manila-ui-0:2.16.1-0.20190204170113.4865df2.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-octavia-ui-0:2.0.1-0.20190110112807.85e4a3e.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-selinux-0:0.8.18-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-tempest-1:19.0.0-3.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openstack-zaqar-1:7.0.1-0.20181026065336.fed6d77.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "openvswitch2.10-0:2.10.0-28.el7fdp.2", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-glance-store-0:0.26.2-0.20181026221750.d001c3c.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-hardware-0:0.18.1-0.20190301121902.b417976.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-novajoin-0:1.1.1-2.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-octaviaclient-0:1.6.0-0.20180816134808.64d007f.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-os-faults-0:0.2.1-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-oslo-cache-0:1.30.3-0.20190204170706.5f42092.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-ovsdbapp-0:0.12.3-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-telemetry-tests-tempest-0:0.2.0-0.20190222195250.7f0e315.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-vmware-nsxlib-0:13.0.1-0.20190220070404.24a7ff4.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "python-wsme-0:0.9.4-0.20190314161310.1d73d6e.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "qpid-proton-0:0.26.0-3.el7", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "rhosp-release-0:14.0.2-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}, {"advisory": "RHBA-2019:0944", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "skydive-0:0.20.3-1.el7ost", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-04-30T00:00:00Z"}], "bugzilla": {"description": "python-novajoin: novajoin API lacks access control", "id": "1670573", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1670573"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-284", "details": ["A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.", "A flaw was discovered in the python-novajoin plugin for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens."], "name": "CVE-2019-10138", "package_state": [{"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Not affected", "package_name": "python-novajoin", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}], "public_date": "2019-01-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10138\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10138\nhttps://review.opendev.org/#/c/631240/"], "threat_severity": "Moderate"}

{

acknowledgement : This issue was discovered by Grzegorz Grasza (Red Hat). (string)

affected_release : [ »

0 : { »

advisory : RHSA-2019:1728 (string)

cpe : cpe:/a:redhat:openstack:13::el7 (string)

package : python-novajoin-0:1.1.1-3.el7ost (string)

product_name : Red Hat OpenStack Platform 13.0 (Queens) (string)

release_date : 2019-07-10T00:00:00Z (string)

}

1 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : ansible-role-container-registry-0:1.0.1-0.20190218212245.d6a749a.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

2 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : ansible-role-redhat-subscription-0:1.0.2-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

3 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : ansible-role-tripleo-modify-image-0:1.0.1-0.20190226052419.9014df9.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

4 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : ansible-tripleo-ipsec-0:9.1.0-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

5 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-barbican-0:7.0.1-0.20190204192112.ed17b57.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

6 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-designate-1:7.0.1-0.20190314164436.7f4c878.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

7 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-heat-ui-0:1.4.1-0.20190130023741.0b301df.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

8 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-kuryr-kubernetes-0:0.5.4-0.20190220170509.17d2635.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

9 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-manila-1:7.1.0-2.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

10 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-manila-ui-0:2.16.1-0.20190204170113.4865df2.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

11 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-octavia-ui-0:2.0.1-0.20190110112807.85e4a3e.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

12 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-selinux-0:0.8.18-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

13 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-tempest-1:19.0.0-3.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

14 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openstack-zaqar-1:7.0.1-0.20181026065336.fed6d77.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

15 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : openvswitch2.10-0:2.10.0-28.el7fdp.2 (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

16 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-glance-store-0:0.26.2-0.20181026221750.d001c3c.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

17 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-hardware-0:0.18.1-0.20190301121902.b417976.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

18 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-novajoin-0:1.1.1-2.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

19 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-octaviaclient-0:1.6.0-0.20180816134808.64d007f.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

20 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-os-faults-0:0.2.1-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

21 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-oslo-cache-0:1.30.3-0.20190204170706.5f42092.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

22 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-ovsdbapp-0:0.12.3-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

23 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-telemetry-tests-tempest-0:0.2.0-0.20190222195250.7f0e315.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

24 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-vmware-nsxlib-0:13.0.1-0.20190220070404.24a7ff4.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

25 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : python-wsme-0:0.9.4-0.20190314161310.1d73d6e.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

26 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : qpid-proton-0:0.26.0-3.el7 (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

27 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : rhosp-release-0:14.0.2-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

28 : { »

advisory : RHBA-2019:0944 (string)

cpe : cpe:/a:redhat:openstack:14::el7 (string)

package : skydive-0:0.20.3-1.el7ost (string)

product_name : Red Hat OpenStack Platform 14.0 (Rocky) (string)

release_date : 2019-04-30T00:00:00Z (string)

}

]

bugzilla : { »

description : python-novajoin: novajoin API lacks access control (string)

id : 1670573 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1670573 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.1 (string)

cvss3_scoring_vector : CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (string)

status : verified (string)

}

cwe : CWE-284 (string)

details : [ »

0 : A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. (string)

1 : A flaw was discovered in the python-novajoin plugin for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. (string)

]

name : CVE-2019-10138 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:openstack:15 (string)

fix_state : Not affected (string)

package_name : python-novajoin (string)

product_name : Red Hat OpenStack Platform 15 (Stein) (string)

}

]

public_date : 2019-01-17T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2019-10138 https://nvd.nist.gov/vuln/detail/CVE-2019-10138 https://review.opendev.org/#/c/631240/ (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object