CVE-2020-25688Use of Hard-coded Cryptographic Key in Redhat Advanced Cluster Management FOR Kubernetes

CWE-321Use of Hard-coded Cryptographic KeyCWE-798Hard-coded Credentials5 documents5 sources
Severity
3.5LOWNVD
EPSS
0.0%
top 91.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Advanced Cluster Management FOR Kubernetes
Timeline
PublishedNov 23
Latest updateMay 24

Description

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-xm77-mpc2-5mxx: A flaw was found in rhacm versions before 22022-05-24
CVEList
CVE-2020-25688: A flaw was found in rhacm versions before 22020-11-23

📋Vendor Advisories

1
Red Hat
rhacm: certificate re-use in grcuiapi and topologyapi2020-11-05

💬Community

1
Bugzilla
CVE-2020-25688 rhacm: certificate re-use in grcuiapi and topologyapi2020-10-29
CVE-2020-25688 — Use of Hard-coded Cryptographic Key | cvebase