Description
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.
References (3)
Core 3
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165
Patch, Third Party Advisory x_refsource_confirm
https://github.com/openshift/cluster-kube-apiserver-operator/pull/499/
Patch, Third Party Advisory x_refsource_confirm
https://github.com/openshift/cluster-openshift-apiserver-operator/pull/205
Scores
CVSS v3
2.3
EPSS
0.0006
EPSS Percentile
18.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (1)
redhat/openshift_container_platform
< 4.1.3
Published
Jul 30, 2019
Tracked Since
Feb 18, 2026