Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-10749 (GCVE-0-2020-10749)
Vulnerability from cvelistv5 – Published: 2020-06-03 13:45 – Updated: 2024-08-04 11:14
VLAI?
EPSS
Summary
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
Severity ?
6 (Medium)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://groups.google.com/forum/#%21topic/kuberne… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | containernetworking/plugins |
Affected:
all containernetworking/plugins versions before version 0.8.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:15.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"name": "openSUSE-SU-2020:1049",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"name": "openSUSE-SU-2020:1050",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"name": "FEDORA-2021-ccb8a9c403",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "containernetworking/plugins",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "all containernetworking/plugins versions before version 0.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-300",
"description": "CWE-300",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-10T03:06:06.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"name": "openSUSE-SU-2020:1049",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"name": "openSUSE-SU-2020:1050",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"name": "FEDORA-2021-ccb8a9c403",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10749",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "containernetworking/plugins",
"version": {
"version_data": [
{
"version_value": "all containernetworking/plugins versions before version 0.8.6"
}
]
}
}
]
},
"vendor_name": "Red Hat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-300"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"name": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"name": "openSUSE-SU-2020:1049",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"name": "openSUSE-SU-2020:1050",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"name": "FEDORA-2021-ccb8a9c403",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10749",
"datePublished": "2020-06-03T13:45:39.000Z",
"dateReserved": "2020-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:14:15.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-10749",
"date": "2026-05-20",
"epss": "0.05187",
"percentile": "0.9001"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:linuxfoundation:cni_network_plugins:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.8.6\", \"matchCriteriaId\": \"A3087899-12A3-45CA-9125-70DA2F255534\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"932D137F-528B-4526-9A89-CD59FA1AB0FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.\"}, {\"lang\": \"es\", \"value\": \"Se detect\\u00f3 una vulnerabilidad en todas las versiones de containernetworking/plugins versiones anteriores a 0.8.6, que permite a contenedores maliciosos en los grupos de Kubernetes llevar a cabo ataques de tipo man-in-the-middle (MitM). Un contenedor malicioso puede explotar este fallo mediante el env\\u00edo de anuncios de enrutadores IPv6 falsos al host u otros contenedores, para redireccionar el tr\\u00e1fico al contenedor malicioso.\"}]",
"id": "CVE-2020-10749",
"lastModified": "2024-11-21T04:55:59.307",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\", \"baseScore\": 6.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\", \"baseScore\": 6.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-06-03T14:15:12.470",
"references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-300\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-10749\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-06-03T14:15:12.470\",\"lastModified\":\"2024-11-21T04:55:59.307\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 una vulnerabilidad en todas las versiones de containernetworking/plugins versiones anteriores a 0.8.6, que permite a contenedores maliciosos en los grupos de Kubernetes llevar a cabo ataques de tipo man-in-the-middle (MitM). Un contenedor malicioso puede explotar este fallo mediante el env\u00edo de anuncios de enrutadores IPv6 falsos al host u otros contenedores, para redireccionar el tr\u00e1fico al contenedor malicioso.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-300\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:cni_network_plugins:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.8.6\",\"matchCriteriaId\":\"A3087899-12A3-45CA-9125-70DA2F255534\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"932D137F-528B-4526-9A89-CD59FA1AB0FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
alsa-2020:4694
Vulnerability from osv_almalinux
Published
2020-11-03 12:27
Modified
2020-11-03 19:50
Summary
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
-
containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)
-
QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)
-
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+2635+e4386a39"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+108+00865455"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2020:4694",
"modified": "2020-11-03T19:50:37Z",
"published": "2020-11-03T12:27:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2020-4694.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10749"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10756"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-14040"
}
],
"related": [
"CVE-2020-10749",
"CVE-2020-10756",
"CVE-2020-14040"
],
"summary": "Moderate: container-tools:rhel8 security, bug fix, and enhancement update"
}
FKIE_CVE-2020-10749
Vulnerability from fkie_nvd - Published: 2020-06-03 14:15 - Updated: 2024-11-21 04:55
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | cni_network_plugins | * | |
| redhat | openshift_container_platform | 4.0 | |
| fedoraproject | fedora | 32 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:cni_network_plugins:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3087899-12A3-45CA-9125-70DA2F255534",
"versionEndExcluding": "0.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container."
},
{
"lang": "es",
"value": "Se detect\u00f3 una vulnerabilidad en todas las versiones de containernetworking/plugins versiones anteriores a 0.8.6, que permite a contenedores maliciosos en los grupos de Kubernetes llevar a cabo ataques de tipo man-in-the-middle (MitM). Un contenedor malicioso puede explotar este fallo mediante el env\u00edo de anuncios de enrutadores IPv6 falsos al host u otros contenedores, para redireccionar el tr\u00e1fico al contenedor malicioso."
}
],
"id": "CVE-2020-10749",
"lastModified": "2024-11-21T04:55:59.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.7,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-03T14:15:12.470",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-300"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FX6X-H9G4-56F8
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2023-08-22 14:31
VLAI?
Summary
containernetworking/plugins vulnerable to MitM attacks
Details
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
Severity ?
6.0 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containernetworking/plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10749"
],
"database_specific": {
"cwe_ids": [
"CWE-300"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T20:04:42Z",
"nvd_published_at": "2020-06-03T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"id": "GHSA-fx6x-h9g4-56f8",
"modified": "2023-08-22T14:31:14Z",
"published": "2022-05-24T17:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"type": "PACKAGE",
"url": "https://github.com/containernetworking/plugins"
},
{
"type": "WEB",
"url": "https://github.com/containernetworking/plugins/releases/tag/v0.8.6"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "containernetworking/plugins vulnerable to MitM attacks"
}
GSD-2020-10749
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-10749",
"description": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"id": "GSD-2020-10749",
"references": [
"https://www.suse.com/security/cve/CVE-2020-10749.html",
"https://access.redhat.com/errata/RHSA-2020:5633",
"https://access.redhat.com/errata/RHSA-2020:4694",
"https://access.redhat.com/errata/RHSA-2020:3194",
"https://access.redhat.com/errata/RHSA-2020:2684",
"https://access.redhat.com/errata/RHSA-2020:2592",
"https://access.redhat.com/errata/RHSA-2020:2443",
"https://access.redhat.com/errata/RHSA-2020:2412",
"https://access.redhat.com/errata/RHSA-2020:2403",
"https://linux.oracle.com/cve/CVE-2020-10749.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-10749"
],
"details": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"id": "GSD-2020-10749",
"modified": "2023-12-13T01:22:04.415751Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10749",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "containernetworking/plugins",
"version": {
"version_data": [
{
"version_value": "all containernetworking/plugins versions before version 0.8.6"
}
]
}
}
]
},
"vendor_name": "Red Hat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-300"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"name": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"name": "openSUSE-SU-2020:1049",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"name": "openSUSE-SU-2020:1050",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"name": "FEDORA-2021-ccb8a9c403",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.8.6",
"affected_versions": "All versions before 0.8.6",
"cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-07-13",
"description": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"fixed_versions": [
"v0.8.6"
],
"identifier": "CVE-2020-10749",
"identifiers": [
"GHSA-fx6x-h9g4-56f8",
"CVE-2020-10749"
],
"not_impacted": "All versions starting from 0.8.6",
"package_slug": "go/github.com/containernetworking/plugins",
"pubdate": "2022-05-24",
"solution": "Upgrade to version 0.8.6 or above.",
"title": "containernetworking/plugins vulnerable to MitM attacks",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-10749",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749",
"https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/",
"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html",
"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html",
"https://github.com/containernetworking/plugins/releases/tag/v0.8.6",
"https://github.com/advisories/GHSA-fx6x-h9g4-56f8"
],
"uuid": "e487919d-99ea-4f68-932a-0fa994028881",
"versions": [
{
"commit": {
"sha": "e4ad405c68b2181473fc6079eb5e45f8b2482145",
"tags": [
"v0.8.6"
],
"timestamp": "20200513074358"
},
"number": "v0.8.6"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:cni_network_plugins:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.8.6",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10749"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749"
},
{
"name": "openSUSE-SU-2020:1049",
"refsource": "SUSE",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html"
},
{
"name": "openSUSE-SU-2020:1050",
"refsource": "SUSE",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html"
},
{
"name": "FEDORA-2021-ccb8a9c403",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.7
}
},
"lastModifiedDate": "2023-03-14T15:35Z",
"publishedDate": "2020-06-03T14:15Z"
}
}
}
OPENSUSE-SU-2020:1049-1
Vulnerability from csaf_opensuse - Published: 2020-07-23 14:22 - Updated: 2020-07-23 14:22Summary
Security update for cni-plugins
Severity
Moderate
Notes
Title of the patch: Security update for cni-plugins
Description of the patch: This update for cni-plugins fixes the following issues:
cni-plugins updated to version 0.8.6
- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).
Release notes:
https://github.com/containernetworking/plugins/releases/tag/v0.8.6
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2020-1049
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:cni-plugins-0.8.6-lp151.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cni-plugins",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cni-plugins fixes the following issues:\n\ncni-plugins updated to version 0.8.6\t \n\n- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).\n\nRelease notes: \nhttps://github.com/containernetworking/plugins/releases/tag/v0.8.6\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1049",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1049-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1049-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C2JOUC6WXDTN4XTZW27D2XR2FKVKS3CH/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1049-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C2JOUC6WXDTN4XTZW27D2XR2FKVKS3CH/"
},
{
"category": "self",
"summary": "SUSE Bug 1172410",
"url": "https://bugzilla.suse.com/1172410"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-10749 page",
"url": "https://www.suse.com/security/cve/CVE-2020-10749/"
}
],
"title": "Security update for cni-plugins",
"tracking": {
"current_release_date": "2020-07-23T14:22:07Z",
"generator": {
"date": "2020-07-23T14:22:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1049-1",
"initial_release_date": "2020-07-23T14:22:07Z",
"revision_history": [
{
"date": "2020-07-23T14:22:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.8.6-lp151.2.6.1.x86_64",
"product": {
"name": "cni-plugins-0.8.6-lp151.2.6.1.x86_64",
"product_id": "cni-plugins-0.8.6-lp151.2.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.8.6-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cni-plugins-0.8.6-lp151.2.6.1.x86_64"
},
"product_reference": "cni-plugins-0.8.6-lp151.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-10749",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-10749"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cni-plugins-0.8.6-lp151.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-10749",
"url": "https://www.suse.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "SUSE Bug 1172375 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172375"
},
{
"category": "external",
"summary": "SUSE Bug 1172410 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172410"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cni-plugins-0.8.6-lp151.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cni-plugins-0.8.6-lp151.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-23T14:22:07Z",
"details": "moderate"
}
],
"title": "CVE-2020-10749"
}
]
}
OPENSUSE-SU-2020:1050-1
Vulnerability from csaf_opensuse - Published: 2020-07-23 18:21 - Updated: 2020-07-23 18:21Summary
Security update for cni-plugins
Severity
Moderate
Notes
Title of the patch: Security update for cni-plugins
Description of the patch: This update for cni-plugins fixes the following issues:
cni-plugins updated to version 0.8.6
- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).
Release notes:
https://github.com/containernetworking/plugins/releases/tag/v0.8.6
Patchnames: openSUSE-2020-1050
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:cni-plugins-0.8.6-lp152.2.4.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cni-plugins",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cni-plugins fixes the following issues:\n\ncni-plugins updated to version 0.8.6\t \n\n- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).\n\nRelease notes: \nhttps://github.com/containernetworking/plugins/releases/tag/v0.8.6\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1050",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1050-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1050-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BA7FX35L3WKZN6K2V7HF7RSMUNSP7RWF/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1050-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BA7FX35L3WKZN6K2V7HF7RSMUNSP7RWF/"
},
{
"category": "self",
"summary": "SUSE Bug 1172410",
"url": "https://bugzilla.suse.com/1172410"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-10749 page",
"url": "https://www.suse.com/security/cve/CVE-2020-10749/"
}
],
"title": "Security update for cni-plugins",
"tracking": {
"current_release_date": "2020-07-23T18:21:27Z",
"generator": {
"date": "2020-07-23T18:21:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1050-1",
"initial_release_date": "2020-07-23T18:21:27Z",
"revision_history": [
{
"date": "2020-07-23T18:21:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.8.6-lp152.2.4.1.x86_64",
"product": {
"name": "cni-plugins-0.8.6-lp152.2.4.1.x86_64",
"product_id": "cni-plugins-0.8.6-lp152.2.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.8.6-lp152.2.4.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cni-plugins-0.8.6-lp152.2.4.1.x86_64"
},
"product_reference": "cni-plugins-0.8.6-lp152.2.4.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-10749",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-10749"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:cni-plugins-0.8.6-lp152.2.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-10749",
"url": "https://www.suse.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "SUSE Bug 1172375 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172375"
},
{
"category": "external",
"summary": "SUSE Bug 1172410 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172410"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:cni-plugins-0.8.6-lp152.2.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:cni-plugins-0.8.6-lp152.2.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-23T18:21:27Z",
"details": "moderate"
}
],
"title": "CVE-2020-10749"
}
]
}
OPENSUSE-SU-2024:10689-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
cni-plugins-0.9.1-1.3 on GA media
Severity
Moderate
Notes
Title of the patch: cni-plugins-0.9.1-1.3 on GA media
Description of the patch: These are all security issues fixed in the cni-plugins-0.9.1-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10689
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cni-plugins-0.9.1-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cni-plugins-0.9.1-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10689",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10689-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-10749 page",
"url": "https://www.suse.com/security/cve/CVE-2020-10749/"
}
],
"title": "cni-plugins-0.9.1-1.3 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10689-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.9.1-1.3.aarch64",
"product": {
"name": "cni-plugins-0.9.1-1.3.aarch64",
"product_id": "cni-plugins-0.9.1-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.9.1-1.3.ppc64le",
"product": {
"name": "cni-plugins-0.9.1-1.3.ppc64le",
"product_id": "cni-plugins-0.9.1-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.9.1-1.3.s390x",
"product": {
"name": "cni-plugins-0.9.1-1.3.s390x",
"product_id": "cni-plugins-0.9.1-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cni-plugins-0.9.1-1.3.x86_64",
"product": {
"name": "cni-plugins-0.9.1-1.3.x86_64",
"product_id": "cni-plugins-0.9.1-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.9.1-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.aarch64"
},
"product_reference": "cni-plugins-0.9.1-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.9.1-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.ppc64le"
},
"product_reference": "cni-plugins-0.9.1-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.9.1-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.s390x"
},
"product_reference": "cni-plugins-0.9.1-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cni-plugins-0.9.1-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.x86_64"
},
"product_reference": "cni-plugins-0.9.1-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-10749",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-10749"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.aarch64",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.ppc64le",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.s390x",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-10749",
"url": "https://www.suse.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "SUSE Bug 1172375 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172375"
},
{
"category": "external",
"summary": "SUSE Bug 1172410 for CVE-2020-10749",
"url": "https://bugzilla.suse.com/1172410"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.aarch64",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.ppc64le",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.s390x",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.aarch64",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.ppc64le",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.s390x",
"openSUSE Tumbleweed:cni-plugins-0.9.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-10749"
}
]
}
RHSA-2020:2403
Vulnerability from csaf_redhat - Published: 2020-06-17 20:52 - Updated: 2026-03-27 06:23Summary
Red Hat Security Advisory: OpenShift Container Platform 4.4.8 containernetworking-plugins security update
Severity
Moderate
Notes
Topic: An update for containernetworking-plugins is now available for Red Hat OpenShift Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* containernetworking/plugins: IPv6 router advertisements allowed for MITM attacks on IPv4 clusters (CVE-2020-10749)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
6.0 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
9 references
Acknowledgments
the Kubernetes Product Security Committee
Etienne Champetier
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for containernetworking-plugins is now available for Red Hat OpenShift Container Platform 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* containernetworking/plugins: IPv6 router advertisements allowed for MITM attacks on IPv4 clusters (CVE-2020-10749)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2403",
"url": "https://access.redhat.com/errata/RHSA-2020:2403"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2403.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.4.8 containernetworking-plugins security update",
"tracking": {
"current_release_date": "2026-03-27T06:23:52+00:00",
"generator": {
"date": "2026-03-27T06:23:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2020:2403",
"initial_release_date": "2020-06-17T20:52:16+00:00",
"revision_history": [
{
"date": "2020-06-17T20:52:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-17T20:52:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-27T06:23:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.4",
"product": {
"name": "Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.4::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.4",
"product": {
"name": "Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_id": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debugsource@0.8.6-1.rhaos4.4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.4.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.4.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.4.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.4.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.4.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.4",
"product_id": "8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64"
},
"product_reference": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Etienne Champetier"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-10749",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1833220"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending \u201crogue\u201d IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes.\n\nIPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "RHBZ#1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10749",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
}
],
"release_date": "2020-06-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-17T20:52:16+00:00",
"details": "For OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.8, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2403"
},
{
"category": "workaround",
"details": "Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.",
"product_ids": [
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.src",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el7.x86_64",
"7Server-RH7-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el7.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.src",
"8Base-RHOSE-4.4:containernetworking-plugins-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.4.el8.x86_64",
"8Base-RHOSE-4.4:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.4.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters"
}
]
}
RHSA-2020:2412
Vulnerability from csaf_redhat - Published: 2020-07-13 17:22 - Updated: 2026-05-16 02:02Summary
Red Hat Security Advisory: OpenShift Container Platform 4.5 container image security update
Severity
Moderate
Notes
Topic: An update is now available for Red Hat OpenShift Container Platform 4.5.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allowed for panic (CVE-2020-9283)
* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)
* js-jquery: prototype pollution in object's prototype led to denial of service or remote code execution or property injection (CVE-2019-11358)
* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)
* containernetworking/plugins: IPv6 router advertisements allowed for MitM attacks on IPv4 clusters (CVE-2020-10749)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
6.5 (Medium)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Low
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
6.0 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
References
51 references
Acknowledgments
the Kubernetes Product Security Committee
Palo Alto Networks
Yuval Avrahami
Ariel Zelivansky
Ericsson
János Kövér
NCC Group
Rory McCune
Etienne Champetier
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift Container Platform 4.5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allowed for panic (CVE-2020-9283)\n\n* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)\n\n* js-jquery: prototype pollution in object\u0027s prototype led to denial of service or remote code execution or property injection (CVE-2019-11358)\n\n* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)\n\n* containernetworking/plugins: IPv6 router advertisements allowed for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2412",
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2412.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.5 container image security update",
"tracking": {
"current_release_date": "2026-05-16T02:02:50+00:00",
"generator": {
"date": "2026-05-16T02:02:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2412",
"initial_release_date": "2020-07-13T17:22:28+00:00",
"revision_history": [
{
"date": "2020-07-13T17:22:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-13T17:22:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-16T02:02:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.5",
"product": {
"name": "Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product": {
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product_id": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-logging-operator\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product": {
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product_id": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-multus-cni\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product": {
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product_id": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-oauth-server-rhel7\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product": {
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product_id": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-capacity\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product": {
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product_id": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-console\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product": {
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product_id": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-hyperkube\u0026tag=v4.5.0-202007100518.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product": {
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product_id": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-machine-approver\u0026tag=v4.5.0-202007012112.p0"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64"
},
"product_reference": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
},
"product_reference": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64"
},
"product_reference": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
},
"product_reference": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
},
"product_reference": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
},
"product_reference": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
},
"product_reference": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-11252",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2020-07-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1860158"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) included the upstream patch for this flaw in the release of version 4.5. Prior versions are affected as OCP 4 supports AzureFile volumes and OCP 3 supports both AzureFile and CephFS volumes. OCP clusters not using these volume types are not vulnerable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11252"
},
{
"category": "external",
"summary": "RHBZ#1860158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860158"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252"
}
],
"release_date": "2020-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes"
},
{
"cve": "CVE-2019-11254",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-04-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1819486"
}
],
"notes": [
{
"category": "description",
"text": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The upstream Kubernetes fix for this vulnerability is to update the version of the Go dependency, gopkg.in/yaml.v2. This issue affects OpenShift Container Platform components that use versions before 2.2.8 of gopkg.in/yaml.v2 and accept YAML payloads.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11254"
},
{
"category": "external",
"summary": "RHBZ#1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc"
}
],
"release_date": "2020-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Prevent unauthenticated or unauthorized access to the API server",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Yuval Avrahami",
"Ariel Zelivansky"
],
"organization": "Palo Alto Networks",
"summary": "Acknowledged by upstream."
},
{
"names": [
"J\u00e1nos K\u00f6v\u00e9r"
],
"organization": "Ericsson",
"summary": "Acknowledged by upstream."
},
{
"names": [
"Rory McCune"
],
"organization": "NCC Group",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-8558",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1843358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: node localhost services reachable via martian packets",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8558"
},
{
"category": "external",
"summary": "RHBZ#1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8558",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
},
{
"category": "external",
"summary": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"
}
],
"release_date": "2020-07-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: node localhost services reachable via martian packets"
},
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
},
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Etienne Champetier"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-10749",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1833220"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending \u201crogue\u201d IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes.\n\nIPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "RHBZ#1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10749",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
}
],
"release_date": "2020-06-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
}
]
}
RHSA-2020:2443
Vulnerability from csaf_redhat - Published: 2020-06-17 19:46 - Updated: 2026-03-27 06:23Summary
Red Hat Security Advisory: OpenShift Container Platform 4.3.25 containernetworking-plugins security update
Severity
Moderate
Notes
Topic: An update for containernetworking-plugins is now available for Red Hat OpenShift Container Platform 4.3.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* containernetworking/plugins: A vulnerability in IPv4 networking implementations allowed malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks by redirecting traffic to the malicious container with “rogue” IPv6 router advertisements. (CVE-2020-10749)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
6.0 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
9 references
Acknowledgments
the Kubernetes Product Security Committee
Etienne Champetier
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for containernetworking-plugins is now available for Red Hat OpenShift Container Platform 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* containernetworking/plugins: A vulnerability in IPv4 networking implementations allowed malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks by redirecting traffic to the malicious container with \u201crogue\u201d IPv6 router advertisements. (CVE-2020-10749)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2443",
"url": "https://access.redhat.com/errata/RHSA-2020:2443"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2443.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.3.25 containernetworking-plugins security update",
"tracking": {
"current_release_date": "2026-03-27T06:23:56+00:00",
"generator": {
"date": "2026-03-27T06:23:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2020:2443",
"initial_release_date": "2020-06-17T19:46:04+00:00",
"revision_history": [
{
"date": "2020-06-17T19:46:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-17T19:46:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-27T06:23:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.3",
"product": {
"name": "Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.3::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.3",
"product": {
"name": "Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_id": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debugsource@0.8.6-1.rhaos4.3.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"product": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_id": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debugsource@0.8.6-1.rhaos4.3.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_id": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debugsource@0.8.6-1.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product_id": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.8.6-1.rhaos4.3.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"product": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"product_id": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/containernetworking-plugins@0.8.6-1.rhaos4.3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64"
},
"product_reference": "containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64"
},
"product_reference": "containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le"
},
"product_reference": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x"
},
"product_reference": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.3",
"product_id": "8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64"
},
"product_reference": "containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.3"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Etienne Champetier"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-10749",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1833220"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending \u201crogue\u201d IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes.\n\nIPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "RHBZ#1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10749",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
}
],
"release_date": "2020-06-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-17T19:46:04+00:00",
"details": "For OpenShift Container Platform 4.3 see the following documentation, which\nwill be updated shortly for release 4.3.25, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.3/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2443"
},
{
"category": "workaround",
"details": "Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.",
"product_ids": [
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.src",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el7.x86_64",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.ppc64le",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.s390x",
"7Server-RH7-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el7.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.src",
"8Base-RHOSE-4.3:containernetworking-plugins-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debuginfo-0:0.8.6-1.rhaos4.3.el8.x86_64",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.ppc64le",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.s390x",
"8Base-RHOSE-4.3:containernetworking-plugins-debugsource-0:0.8.6-1.rhaos4.3.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…