CVE-2019-19351: 
NixOS vulnerability analysis and mitigation

An insecure modification vulnerability (CVE-2019-19351) was discovered in the /etc/passwd file within the container openshift/jenkins. This vulnerability specifically affects the openshift/jenkins-slave-base-rhel7-container as shipped in OpenShift 4 and 3.11. The vulnerability was reported on November 27, 2019, and affects Red Hat OpenShift Container Platform versions 3.11 and 4.x (NVD, Red Hat CVE).

The vulnerability stems from incorrect privileges assigned to the /etc/passwd file in the container, allowing unauthorized modifications. The severity is rated as HIGH with a CVSS v3.1 base score of 7.0 (Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-269 (Improper Privilege Management) and CWE-266 (Incorrect Privilege Assignment) (NVD).

An attacker with access to the running container could exploit this vulnerability to modify the /etc/passwd file and escalate their privileges within the container. However, it's important to note that by default, this vulnerability is not exploitable in unprivileged containers running on OpenShift Container Platform, as the SETUID and SETGID system calls are blocked by the default seccomp policy (Red Hat Bugzilla).

Red Hat has addressed this vulnerability through several security updates: RHSA-2020:0562 for OpenShift Container Platform 4.3, RHSA-2020:0526 for OpenShift Container Platform 4.2, and RHSA-2020:0803 for OpenShift Container Platform 3.11. Users are advised to update to the patched versions (Red Hat Advisory).