CVE-2020-1701Incorrect Permission Assignment in Kubevirt

CWE-732Incorrect Permission Assignment7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 65.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Kubevirt.io KubevirtKubevirt
Timeline
PublishedMay 27
Latest updateJun 4

Description

A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDkubevirt/kubevirt< 0.26.0

🔴Vulnerability Details

4
OSV
Permissions bypass in KubeVirt in kubevirt.io/kubevirt2024-06-04
GHSA
Permissions bypass in KubeVirt2021-06-01
OSV
Permissions bypass in KubeVirt2021-06-01
CVEList
CVE-2020-1701: A flaw was found in the KubeVirt main virt-handler versions before 02021-05-27

📋Vendor Advisories

1
Red Hat
virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets2020-01-07

💬Community

1
Bugzilla
CVE-2020-1701 virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets2020-01-17
CVE-2020-1701 — Incorrect Permission Assignment | cvebase