CVE-2019-3895

HIGH

OpenStack Octavia < 0.9.0 - Unauthenticated Arbitrary Image Execution via Amphorae Spawning

Title source: llm

Description

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

References (3)

Core 3

Core References

Issue Tracking, Mitigation, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1683

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1742

Scores

CVSS v3 8.0

EPSS 0.0051

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (3)

openstack/octavia < 0.9.0

pypi/octavia 0 - 0.9.0PyPI

redhat/openstack 12

Published Jun 03, 2019

Tracked Since Feb 18, 2026