Miggo Logo
Miggo Vulnerability Database
CVE-2016-1906

CVE-2016-1906: Authorization bypass in Openshift

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-1906
GHSA ID
GHSA-m3fm-h5jp-q79p
EPSS Score
0.84401%
CWE
CWE-285
Published
12/20/2021
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openshift/origingo< 1.1.11.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing update operation handling in the build strategy admission controller. The GitHub fix (openshift/origin#6576) shows the admission handler was modified to include 'admission.Update' in its operations. The original code only checked 'admission.Create', allowing unauthorized strategy changes via updates. The test cases in 'test/integration/build_admission_test.go' confirm this by adding update validation checks. Both the handler registration (NewBuildByStrategy) and admission logic (Admit) were deficient in handling updates, making them the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*ns*i*t *llows r*mot* *tt**k*rs to **in privil***s *y up**tin* * *uil* *on*i*ur*tion t**t w*s *r**t** wit* *n *llow** typ* to * typ* t**t is not *llow**.

Reasoning

T** vuln*r**ility st*ms *rom missin* up**t* op*r*tion **n*lin* in t** *uil* str*t**y **mission *ontroll*r. T** *it*u* *ix (op*ns*i*t/ori*in#****) s*ows t** **mission **n*l*r w*s mo*i*i** to in*lu** '**mission.Up**t*' in its op*r*tions. T** ori*in*l *