← Back

CVE-2020-25688

nvd nist
Published: Nov 23, 2020Modified: Nov 21, 2024

JSON object

Loading...
3.5
Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Exploitability: 2.1 / Impact: 1.4
Source: NVD

Description

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for service authentication, so no opportunity for impersonation or active MITM attacks were made possible.

Affected (1)

Redhat
1 product
Advanced Cluster Management For Kubernetes
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Advanced Cluster Management For Kubernetes
Before 2.0.5

Related CWEs

CWE-321
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

Source: secalert@redhat.com
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory

Timeline

No history available yet.