CVE-2020-1701
published 2021-05-27CVE-2020-1701: A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.75%
50.2th percentile
A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kubevirt.io | kubevirt | >= 0 < 0.26.0 | 0.26.0 |
| kubevirt | kubevirt | < 0.26.0 | 0.26.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets
vendor_redhat·2020-01-07·CVSS 6.5
CVE-2020-1701 [MEDIUM] CWE-732 virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets
virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets
A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
A flaw was found in the KubeVirt main virt-handler regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
Mitigation: This issue can only be resolved by applying updates.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of us
OSV
Permissions bypass in KubeVirt in kubevirt.io/kubevirt
osv·2024-06-04
CVE-2020-1701 Permissions bypass in KubeVirt in kubevirt.io/kubevirt
Permissions bypass in KubeVirt in kubevirt.io/kubevirt
Permissions bypass in KubeVirt in kubevirt.io/kubevirt
GHSA
Permissions bypass in KubeVirt
ghsa·2021-06-01
CVE-2020-1701 [MEDIUM] CWE-732 Permissions bypass in KubeVirt
Permissions bypass in KubeVirt
A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
OSV
Permissions bypass in KubeVirt
osv·2021-06-01
CVE-2020-1701 [MEDIUM] Permissions bypass in KubeVirt
Permissions bypass in KubeVirt
A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
No detection rules found.
No public exploits indexed.
2021-05-27
Published