CVE-2020-25655

CWE-863Incorrect Authorization5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 56.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RED HAT Open-cluster-managementRedhat Advanced Cluster Management FOR Kubernetes
Timeline
PublishedNov 9
Latest updateMay 24

Description

An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

CVEListV5red_hat/open-cluster-management2.0.4, 2.1.0+1

🔴Vulnerability Details

2
GHSA
GHSA-fvqj-2g9g-f9xv: An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions2022-05-24
CVEList
CVE-2020-25655: An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions2020-11-09

📋Vendor Advisories

1
Red Hat
open-cluster-management: RBAC bypass may disclose cluster secrets to other users2020-10-22

💬Community

1
Bugzilla
CVE-2020-25655 open-cluster-management: RBAC bypass may disclose cluster secrets to other users2020-10-14
CVE-2020-25655 (MEDIUM CVSS 6.5) | An issue was discovered in ManagedC | cvebase.io