Critical severity9.8NVD Advisory· Published Feb 3, 2016· Updated May 6, 2026
CVE-2016-1906
CVE-2016-1906
Description
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openshift/originGo | < 1.1.1 | 1.1.1 |
Affected products
1- cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*
Patches
1d95ec085f03eMerge pull request #6678 from csrwng/fix_build_details
2 files changed · +14 −0
pkg/build/admission/admission.go+5 −0 modified@@ -49,6 +49,11 @@ func (a *buildByStrategy) Admit(attr admission.Attributes) error { if resource := attr.GetResource(); resource != buildsResource && resource != buildConfigsResource { return nil } + // Explicitly exclude the builds/details subresource because it's only + // updating commit info and cannot change build type. + if attr.GetResource() == buildsResource && attr.GetSubresource() == "details" { + return nil + } switch obj := attr.GetObject().(type) { case *buildapi.Build: return a.checkBuildAuthorization(obj, attr)
pkg/build/admission/admission_test.go+9 −0 modified@@ -128,6 +128,15 @@ func TestBuildAdmission(t *testing.T) { expectAccept: false, expectedError: "Internal error occurred: [Unrecognized request object &admission.fakeObject{}, couldn't find ObjectMeta field in admission.fakeObject{}]", }, + { + name: "details on forbidden docker build", + object: testBuild(buildapi.BuildStrategy{DockerStrategy: &buildapi.DockerBuildStrategy{}}), + kind: "Build", + resource: buildsResource, + subResource: "details", + reviewResponse: reviewResponse(false, "cannot create build of type docker build"), + expectAccept: true, + }, } ops := []admission.Operation{admission.Create, admission.Update}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-m3fm-h5jp-q79pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1906ghsaADVISORY
- access.redhat.com/errata/RHSA-2016:0070nvdWEB
- access.redhat.com/errata/RHSA-2016:0351nvdWEB
- access.redhat.com/security/cve/CVE-2016-1906ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/openshift/origin/commit/d95ec085f03ecf10e8c424a4f0340ddb38891406ghsaWEB
- github.com/openshift/origin/issues/6556nvdWEB
- github.com/openshift/origin/pull/6576nvdWEB
- web.nvd.nist.gov/view/vuln/detailghsaWEB
News mentions
0No linked articles in our index yet.