1. Home
  2. CVE Database
  3. CVE-2020-25688
LOW · 3.5

CVE-2020-25688

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all i...

Vulnerability Description

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for service authentication, so no opportunity for impersonation or active MITM attacks were made possible.

CVSS Score

3.5

LOW

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
RedhatAdvanced Cluster Management For Kubernetes< 2.0.5

Related Weaknesses (CWE)

CWE-321CWE-798

References

FAQ

What is CVE-2020-25688?

CVE-2020-25688 is a vulnerability with a CVSS score of 3.5 (LOW). A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all i...

How severe is CVE-2020-25688?

CVE-2020-25688 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-25688?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Advanced Cluster Management For Kubernetes.