CVE-2020-25688

EPSS 0.03%
Published 23.11.2020 22:15:12
Last modified 21.11.2024 05:18:28
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for service authentication, so no opportunity for impersonation or active MITM attacks were made possible.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Advanced Cluster Management For Kubernetes Version < 2.0.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.054

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	2.7	5.1	2.9	AV:A/AC:L/Au:S/C:P/I:N/A:N

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://bugzilla.redhat.com/show_bug.cgi?id=1892551

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2020-25688

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-25688

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-25688

EUVD