CVE-2019-19335: 
NixOS vulnerability analysis and mitigation

During installation of an OpenShift 4 cluster, the openshift-install command line tool creates an auth directory containing kubeconfig and kubeadmin-password files. Both files contain credentials used to authenticate to the OpenShift API server and were incorrectly assigned world-readable permissions in OpenShift 4.2 (Red Hat CVE, NVD).

The vulnerability stems from incorrect file permissions set during the OpenShift installation process. When the openshift-install tool creates the authentication files, it sets them as world-readable (-rw-r--r--), allowing any user on the system to read sensitive credentials. This contrasts with the more secure behavior of the oc command line tool, which creates configuration files readable only by the current user (Bugzilla).

The vulnerability exposes sensitive authentication credentials to all local users on the system. Any user with local access can read the kubeconfig and kubeadmin-password files, potentially gaining unauthorized access to the OpenShift API server and cluster resources (Red Hat CVE).

The issue was addressed in OpenShift Container Platform 4.2.18 through security advisory RHSA-2020:0476. Users should upgrade to this version or later to receive the fix (Red Hat Advisory).