CVE-2020-8664 Information

Description

CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied even though it was visible in the active config dump.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://access.redhat.com/errata/RHSA-2020:0734 https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8 https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3