CVE-2019-19346: 
NixOS vulnerability analysis and mitigation

An insecure modification vulnerability (CVE-2019-19346) was discovered in the /etc/passwd file within the container openshift/mariadb-apb. The vulnerability affects versions prior to 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. This security issue was disclosed in March 2020 and received a CVSS v3.1 base score of 7.0 (HIGH) (NVD, Red Hat Advisory).

The vulnerability stems from incorrect privilege assignments on the /etc/passwd file, which allows it to be modified by users other than root within the container. The issue has been assigned CWE-269 (Improper Privilege Management) and CWE-266 (Incorrect Privilege Assignment). The CVSS v3.1 vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high complexity and potential for high impact on confidentiality, integrity, and availability (NVD).

An attacker with access to the running container could exploit this vulnerability to modify the /etc/passwd file and escalate their privileges. However, by default, this vulnerability is not exploitable in unprivileged containers running on OpenShift Container Platform, as the system calls SETUID and SETGID are blocked by the default seccomp policy (Red Hat Bugzilla).

Red Hat has addressed this vulnerability by releasing security updates for multiple versions of OpenShift Container Platform. Fixed versions include OpenShift Container Platform 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. Users are advised to upgrade to these patched versions (Red Hat Advisory).