CVE-2023-0923

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:0977	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-0923	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2171870	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:redhat:openshift_data_science:*:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

History

20 Sep 2023, 20:40

Type	Values Removed	Values Added
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2171870 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2171870 - Issue Tracking, Vendor Advisory
References	~~(MISC) https://access.redhat.com/errata/RHSA-2023:0977 -~~	(MISC) https://access.redhat.com/errata/RHSA-2023:0977 - Vendor Advisory
References	~~(MISC) https://access.redhat.com/security/cve/CVE-2023-0923 -~~	(MISC) https://access.redhat.com/security/cve/CVE-2023-0923 - Vendor Advisory
CPE		cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:a:redhat:openshift_data_science::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Redhat openshift Data Science Redhat Redhat enterprise Linux
CWE		CWE-862

17 Sep 2023, 12:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-15 21:15

Updated : 2024-05-03 16:15

NVD link : CVE-2023-0923

Mitre link : CVE-2023-0923

CVE.ORG link : CVE-2023-0923

JSON object : View

Products Affected

redhat

openshift_data_science
enterprise_linux

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-0923", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-09-15T21:15:09.153", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:0977", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-0923", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2171870", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el servicio Kubernetes para port\u00e1tiles en RHODS, donde no impide que los pods de otros espacios de nombres y aplicaciones realicen solicitudes a la API de Jupyter. Esta falla puede provocar la exposici\u00f3n del contenido del archivo y otros problemas."}], "lastModified": "2024-05-03T16:15:09.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_data_science:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85641122-B8E2-4665-ABA5-2D812E52F36A", "versionEndExcluding": "1.22.1-3", "versionStartIncluding": "1.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secalert@redhat.com"}