CVE-2020-1701 - OpenCVE

A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Kubevirt	Kubevirt

Configuration 1 [-]

cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1792092	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-27T19:45:04

Updated: 2021-05-27T19:45:04

Reserved: 2019-11-27T00:00:00

Link: CVE-2020-1701

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-27T20:15:07.957

Modified: 2021-06-10T14:55:59.580

Link: CVE-2020-1701

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "4DC4EAAB-7AB8-4F53-9956-C12FA9F89C20", "versionEndExcluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en el KubeVirt main virt-handler versiones anteriores a 0.26.0, con respecto a los permisos de acceso de virt-handler. Un atacante con acceso para crear m\u00e1quinas virtuales podr\u00eda adjuntar cualquier secreto dentro de su namespace, permiti\u00e9ndoles leer el contenido de ese secreto"}], "id": "CVE-2020-1701", "lastModified": "2021-06-10T14:55:59.580", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T20:15:07.957", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "secalert@redhat.com", "type": "Primary"}]}