Vulnerability Description
Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Projectcalico | Calico | <= 2.6.2 |
Related Weaknesses (CWE)
References
- https://github.com/kubernetes/kubernetes/issues/91507Issue TrackingThird Party Advisory
- https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCf
- https://www.projectcalico.org/security-bulletins/Vendor Advisory
- https://github.com/kubernetes/kubernetes/issues/91507Issue TrackingThird Party Advisory
- https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCf
- https://www.projectcalico.org/security-bulletins/Vendor Advisory
FAQ
What is CVE-2020-13597?
CVE-2020-13597 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with suffici...
How severe is CVE-2020-13597?
CVE-2020-13597 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13597?
Check the references section above for vendor advisories and patch information. Affected products include: Projectcalico Calico.