CVE-2020-25655

Published: Nov 9, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.

Affected (1)

Products: Redhat: Advanced Cluster Management For Kubernetes

1 product

Advanced Cluster Management For Kubernetes

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Advanced Cluster Management For Kubernetes	Version 2.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25655

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25655

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.