CVE-2020-27836

A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729	Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1906267	Issue Tracking Patch Vendor Advisory
https://access.redhat.com/security/cve/CVE-2020-27836	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1905490	Issue Tracking Permissions Required Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Information

Published : 2022-08-22 08:15

Updated : 2022-08-24 12:27

NVD link : CVE-2020-27836

Mitre link : CVE-2020-27836

JSON object : View

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

Advertisement

Products Affected

redhat

enterprise_linux
openshift_container_platform

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729", "name": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://access.redhat.com/security/cve/CVE-2020-27836", "name": "https://access.redhat.com/security/cve/CVE-2020-27836", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-732"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-27836", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2022-08-22T15:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-08-24T19:27Z"}