CVE-2020-25688

EPSS 0.03%
Veröffentlicht 23.11.2020 22:15:12
Zuletzt bearbeitet 21.11.2024 05:18:28
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for service authentication, so no opportunity for impersonation or active MITM attacks were made possible.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Advanced Cluster Management For Kubernetes Version < 2.0.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.054

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	2.7	5.1	2.9	AV:A/AC:L/Au:S/C:P/I:N/A:N

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://bugzilla.redhat.com/show_bug.cgi?id=1892551

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2020-25688

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-25688

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-25688

EUVD