| Vulnerability Name: | CVE-2020-35514 (CCN-202911) | ||||||||||||
| Assigned: | 2020-12-17 | ||||||||||||
| Published: | 2021-01-11 | ||||||||||||
| Updated: | 2021-06-11 | ||||||||||||
| Summary: | An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0. | ||||||||||||
| CVSS v3 Severity: | 7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 6.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
| ||||||||||||
| CVSS v2 Severity: | 4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-266 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-35514 Source: CCN Type: Red Hat Bugzilla - Bug 1914714 CVE-2020-35514 openshift/machine-config-operator: /etc/kubernetes/kubeconfig is given incorrect privileges Source: MISC Type: Issue Tracking, Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1914714 Source: XF Type: UNKNOWN redhat-cve202035514-sec-bypass(202911) Source: CCN Type: OpenShift GIT Repository Restrict default file mode for /etc/kuberentes/kubeconfig #2202 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||