CVE-2020-13597 Information

Description

Clusters using Calico (version 3.14.0 and below) Calico Enterprise (version 2.8.2 and below) may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Reference

https://github.com/kubernetes/kubernetes/issues/91507 https://groups.google.com/forum/!topic/kubernetes-security-announce/BMb_6ICCfp8 https://www.projectcalico.org/security-bulletins/

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.5