CVE-2020-26278Execution with Unnecessary Privileges in Weave

CWE-250Execution with Unnecessary Privileges2 documents2 sources
Severity
8.0HIGHNVD
CNA5.8
EPSS
0.2%
top 63.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weaveworks WeaveWeave
Timeline
PublishedJan 20

Description

Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is supplied with a manifest that runs pods on every node in a Kubernetes cluster, which are responsible for managing network connections for all other pods in the cluster. This requires a lot of power over the h

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages2 packages

NVDweave/weave< 2.8.0
CVEListV5weaveworks/weave< 2.8.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Weave Net Pods running in host PID namespace can be used to escalate other Kubernetes vulnerabilities2021-01-20
CVE-2020-26278 — Execution with Unnecessary Privileges | cvebase