CVE-2020-25655
First published: Mon Nov 09 2020(Updated: )
An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Advanced Cluster Management For Kubernetes | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-25655?
CVE-2020-25655 is a vulnerability in the ManagedClusterView API that can allow secrets to be disclosed to users without the correct permissions.
What is the severity of CVE-2020-25655?
CVE-2020-25655 has a severity rating of medium (6.5).
What software is affected by CVE-2020-25655?
CVE-2020-25655 affects Redhat Advanced Cluster Management For Kubernetes version 2.0.
How can the CVE-2020-25655 vulnerability be exploited?
The CVE-2020-25655 vulnerability can be exploited by users with view permission accessing views created for an admin user during a short time window.
Is there a fix for CVE-2020-25655?
Yes, it is recommended to update to a patched version of Redhat Advanced Cluster Management For Kubernetes to fix the CVE-2020-25655 vulnerability.
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/tags
- agent/event
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/redhat
- canonical/redhat advanced cluster management for kubernetes
- version/redhat advanced cluster management for kubernetes/2.0