Lucene search

[email protected]CVE-2020-14306

HistorySep 16, 2020 - 6:15 p.m.

CVE-2020-14306

2020-09-1618:15:13

CWE-862

[email protected]

web.nvd.nist.gov

cve-2020-14306

openshift

istio

access control

security flaw

data confidentiality

integrity

system availability

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected configurations

Vulners

NVD

Node

redhatopenshift_service_meshRange≤1.1.3

VendorProductVersionCPE
redhatopenshift_service_mesh*cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	openshift_service_mesh	*	cpe:2.3:a:redhat:openshift_service_mesh::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "openshift-service-mesh/istio-rhel8-operator",
    "versions": [
      {
        "version": "all versions through 1.1.3",
        "status": "affected"
      }
    ]
  }
]