{
  "threat_severity" : "Moderate",
  "public_date" : "2019-07-09T00:00:00Z",
  "bugzilla" : {
    "description" : "atomic-openshift: CSRF tokens not refreshing while user is logged in and are exposed in the URL",
    "id" : "1712569",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1712569"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-352",
  "details" : [ "A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.", "A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack." ],
  "statement" : "OpenShift Container Platform versions prior to 3.11 do not contain the affected \"cluster console\" component and are not vulnerable to this flaw.",
  "acknowledgement" : "This issue was discovered by Jeremy Choi (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-12-16T00:00:00Z",
    "advisory" : "RHSA-2019:4053",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "openshift3/ose-console:v3.11.157-1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-09-17T00:00:00Z",
    "advisory" : "RHSA-2019:2792",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-console:v4.1.16-201909100604"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.2",
    "release_date" : "2019-10-16T00:00:00Z",
    "advisory" : "RHBA-2019:2922",
    "cpe" : "cpe:/a:redhat:openshift:4.2::el7",
    "package" : "openshift4/ose-console:v4.2.0-201910101614"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10176\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10176" ],
  "name" : "CVE-2019-10176",
  "csaw" : false
}