SCA: security update for octavia (GHSA-jjgh-m322-fjx6)

medium Tenable Self-Hosted Container Security Plugin ID 433613

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat
OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image.
This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new
amphorae, Octavia would then pick up the compromised image. (CVE-2019-3895)

Solution

Update the octavia library and its related packages to version 0.9.0 or later.

See Also

https://github.com/advisories/GHSA-jjgh-m322-fjx6

Plugin Details

Severity: Medium

ID: 433613

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3895

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 5/27/2019

Reference Information

CVE: CVE-2019-3895

BID: 108783

cwe: CWE-284