Skip to main content

Download of Code Without Integrity Check

CVE-2019-14845

Severity Medium
Score 5.3/10

Summary

A vulnerability was found in 'github.com/openshift/builder/pkg/build/builder', Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content. A fix exists in the master branch of GH but there is no released version yet.

  • HIGH
  • ADJACENT_NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-494 - Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Advisory Timeline

  • Published