Access Control Weakness in Openshift Service Mesh Operator
CVE-2020-14306

8.8HIGH

Key Information:

Vendor: Istio-operator Project
Status: Openshift-service-mesh/istio-rhel8-operator
Vendor: CVE Published:; 16 September 2020

🔔 Create Istio-operator Project Vulnerability Alert

What is CVE-2020-14306?

An access control vulnerability has been identified in the Openshift Service Mesh Operator. This flaw permits authenticated users with basic access to deploy customized gateways or pods within any namespace of the cluster. Such an action can potentially lead to the compromise of privileged service account tokens, jeopardizing the confidentiality and integrity of sensitive data. Consequently, this also poses a risk to the overall availability of the system. Remediation is crucial to mitigate any unauthorized access and safeguard data within the infrastructure.

Affected Version(s)

openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3

References

https://github.com/maistra/istio-operator/pull/462

https://bugzilla.redhat.com/show_bug.cgi?id=1850380

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2020
Vulnerability Reserved
Jun 17, 2020

CVE-2020-14306 Data

JSON