First published: Thu Feb 13 2020(Updated: )
CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/envoy | <1.13.1 | 1.13.1 |
CNCF Envoy | <=1.13.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-8664 is a vulnerability in CNCF Envoy, versions up to 1.13.0, that allows incorrect Access Control when using SDS with Combined Validation Context.
CVE-2020-8664 has a severity value of 5.3, which is considered medium.
CVE-2020-8664 can lead to the 'static' part of the validation context not being applied, causing incorrect Access Control when using SDS with Combined Validation Context.
To fix CVE-2020-8664, update CNCF Envoy to version 1.13.1 or higher.
You can find more information about CVE-2020-8664 in the Red Hat advisory [RHSA-2020:0734](https://access.redhat.com/errata/RHSA-2020:0734) and the Envoy security advisory [GHSA-3x9m-pgmg-xpx8](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8)