Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBmNTktajdjMi1yaDZ4
Exposure of Sensitive Information to an Unauthorized Actor and Insertion of Sensitive Information Into Sent Data in Calico
Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.
Permalink: https://github.com/advisories/GHSA-pf59-j7c2-rh6xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBmNTktajdjMi1yaDZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 6 months ago
CVSS Score: 6.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Identifiers: GHSA-pf59-j7c2-rh6x, CVE-2020-13597
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13597
- https://github.com/kubernetes/kubernetes/issues/91507
- https://github.com/containernetworking/plugins/commit/ad10b6fa91aacd720f1f9ab94341a97a82a24965
- https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8
- https://github.com/containernetworking/plugins/pull/484
- https://www.projectcalico.org/security-bulletins
- https://github.com/advisories/GHSA-pf59-j7c2-rh6x
Blast Radius: 5.1
Affected Packages
go:github.com/projectcalico/calico
Dependent packages: 5Dependent repositories: 7
Downloads:
Affected Version Ranges: < 3.8.9, >= 3.9.0, < 3.9.6, >= 3.10.0, < 3.10.4, >= 3.11.0, < 3.11.3, >= 3.12.0, < 3.12.2, >= 3.13.0, < 3.13.4, >= 3.14.0, < 3.14.1
Fixed in: 3.8.9, 3.9.6, 3.10.4, 3.11.3, 3.12.2, 3.13.4, 3.14.1
All affected versions: 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.12.1, 3.13.0, 3.13.1, 3.13.3, 3.14.0
All unaffected versions: 3.8.9, 3.9.6, 3.10.4, 3.11.3, 3.12.2, 3.12.3, 3.13.4, 3.14.1, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.16.5, 3.16.6, 3.16.7, 3.16.8, 3.16.9, 3.16.10, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.18.4, 3.18.5, 3.18.6, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1