CVE-2019-10138
Improper Access Control in novajoin
8.8
HIGH
CVSS 3.1
EPSS 0.44%
Description
A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.
How to fix CVE-2019-10138
To remediate CVE-2019-10138, upgrade the affected package to a fixed version below.
- PyPI/novajoin—upgrade to 1.1.1 or later
- —upgrade to 1.1.1 or later
Is CVE-2019-10138 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.1.1
- from 0, < 1.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |