CyberSec.Space Logo
Back to CVE Browser

CVE-2014-3496

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0560%
EPSS Percentile40.78th
PublishedJun 20, 2014
Last ModifiedMay 6, 2026

Vulnerability Description

cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in a cartridge manifest file.

Affected Platforms (CPE)

πŸ“¦
Redhat

Openshift

= 1.2.8
πŸ“¦
Redhat

Openshift

= 2.0
πŸ“¦
Redhat

Openshift

= 2.0.1
πŸ“¦
Redhat

Openshift

= 2.0.2
πŸ“¦
Redhat

Openshift

= 2.0.3
πŸ“¦
Redhat

Openshift

= 2.0.4
πŸ“¦
Redhat

Openshift

= 2.0.5
πŸ“¦
Redhat

Openshift

= 2.0.6
πŸ“¦
Redhat

Openshift

= 2.1
πŸ“¦
Redhat

Openshift

= 2.1.1
πŸ“¦
Redhat

Openshift Origin

= 1.2.8
πŸ“¦
Redhat

Openshift Origin

= 2.1
πŸ“¦
Redhat

Openshift Origin

= 2.1.1

References & Advisories

πŸ”— http://rhn.redhat.com/errata/RHSA-2014-0762.html
πŸ”— http://rhn.redhat.com/errata/RHSA-2014-0763.html
πŸ”— http://rhn.redhat.com/errata/RHSA-2014-0764.html
πŸ”— http://secunia.com/advisories/59298
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=1110470
πŸ”— https://github.com/openshift/origin-server/pull/5521
πŸ”— http://rhn.redhat.com/errata/RHSA-2014-0762.html
πŸ”— http://rhn.redhat.com/errata/RHSA-2014-0763.html

Related Vulnerabilities

CVE-2013-20609.8

The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters ...

CVE-2013-20959.8

rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command ...

CVE-2019-38999.8

It was found that default configuration of Heketi does not require any authentication potentially exposing the management interfac...

CVE-2014-02349.8

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo accou...