CVE-2020-25655

An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.

Published: Nov 9, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-25655
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
redhat / advanced_cluster_management_for_kubernetes	2.0	2.0.x

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25655

Vulnerability Database

289,571

CVE-2020-25655