{
  "threat_severity" : "Low",
  "public_date" : "2019-03-29T00:00:00Z",
  "bugzilla" : {
    "description" : "atomic-openshift: cross-namespace owner references can trigger deletions of valid children",
    "id" : "1693905",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1693905"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-290",
  "details" : [ "A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 4.1 are affected.", "A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects." ],
  "acknowledgement" : "This issue was discovered by Jessica Forrester (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2020:5634",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el7",
    "package" : "openshift-0:4.7.0-202102060108.p0.git.97095.7271b90.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Fix deferred",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Out of support scope",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Out of support scope",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Fix deferred",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3884\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3884" ],
  "name" : "CVE-2019-3884",
  "csaw" : false
}