CVE-2018-14620

Description

The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image. Version of openstack-rabbitmq-container and openstack-containers as shipped with Red Hat Openstack 12, 13, 14 are believed to be vulnerable.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2018:2729	vendor advisory
https://access.redhat.com/errata/RHSA-2018:2721	vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14620	issue tracking vendor advisory

Frequently Asked Questions

What is the severity of CVE-2018-14620?: CVE-2018-14620 has been scored as a medium severity vulnerability.
How to fix CVE-2018-14620?: To fix CVE-2018-14620, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-14620 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2018-14620 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-14620?: CVE-2018-14620 affects Red Hat openstack-rabbitmq-container.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Categories

CWE-494 – Download of Code Without Integrity Check

CWE-20 – Improper Input Validation

References

Frequently Asked Questions