What is the vulnerability ID?

The vulnerability ID is CVE-2020-25688.

What is the severity of CVE-2020-25688?

The severity of CVE-2020-25688 is low with a CVSS score of 3.5.

Which versions of the affected software are vulnerable to CVE-2020-25688?

Versions before 2.0.5 and before 2.1.0 of Redhat Advanced Cluster Management for Kubernetes (RHACM) are vulnerable to CVE-2020-25688.

How does CVE-2020-25688 impact the affected software?

CVE-2020-25688 allows an attacker who can observe network traffic internal to RHACM installations to access the internal service APIs using a test certificate from the source repository.

Is there a fix available for CVE-2020-25688?

Yes, remediation is available in version 2.0.5 and version 2.1.0 of RHACM.

Vulnerability/
CVE-2020-25688

low

3.5

CWE

798 321

29/10/2020

23/11/2020

4/8/2024

CVE-2020-25688

First published: Thu Oct 29 2020(Updated: )

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for service authentication, so no opportunity for impersonation or active MITM attacks were made possible.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Redhat Advanced Cluster Management For Kubernetes	<2.0.5
redhat/rhacm	<2.0.5	2.0.5
redhat/rhacm	<2.1.0	2.1.0

Never miss a vulnerability like this again

Reference Links

https://bugzilla.redhat.com/show_bug.cgi?id=1892551

Frequently Asked Questions

What is the vulnerability ID?
The vulnerability ID is CVE-2020-25688.
What is the severity of CVE-2020-25688?
The severity of CVE-2020-25688 is low with a CVSS score of 3.5.
Which versions of the affected software are vulnerable to CVE-2020-25688?
Versions before 2.0.5 and before 2.1.0 of Redhat Advanced Cluster Management for Kubernetes (RHACM) are vulnerable to CVE-2020-25688.
How does CVE-2020-25688 impact the affected software?
CVE-2020-25688 allows an attacker who can observe network traffic internal to RHACM installations to access the internal service APIs using a test certificate from the source repository.
Is there a fix available for CVE-2020-25688?
Yes, remediation is available in version 2.0.5 and version 2.1.0 of RHACM.

collector/nvd-index
agent/weakness
agent/type
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-25688
agent/software-canonical-lookup
agent/severity
agent/references
agent/author
agent/last-modified-date
agent/event
agent/tags
agent/description
vendor/redhat
canonical/redhat advanced cluster management for kubernetes
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.