{"containers": {"cna": {"affected": [{"product": "virt-handler", "vendor": "n/a", "versions": [{"status": "affected", "version": "kubevirt 0.26.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-27T19:45:04", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-1701", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "virt-handler", "version": {"version_data": [{"version_value": "kubevirt 0.26.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:46:29.878Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-1701", "datePublished": "2021-05-27T19:45:04", "dateReserved": "2019-11-27T00:00:00", "dateUpdated": "2024-08-04T06:46:29.878Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "4DC4EAAB-7AB8-4F53-9956-C12FA9F89C20", "versionEndExcluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en el KubeVirt main virt-handler versiones anteriores a 0.26.0, con respecto a los permisos de acceso de virt-handler. Un atacante con acceso para crear m\u00e1quinas virtuales podr\u00eda adjuntar cualquier secreto dentro de su namespace, permiti\u00e9ndoles leer el contenido de ese secreto"}], "id": "CVE-2020-1701", "lastModified": "2021-06-10T14:55:59.580", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T20:15:07.957", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHEA-2020:2011", "cpe": "cpe:/a:redhat:container_native_virtualization:2.3::el8", "package": "kubevirt-cpu-model-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2020-05-04T00:00:00Z"}, {"advisory": "RHEA-2020:2011", "cpe": "cpe:/a:redhat:container_native_virtualization:2.3::el8", "package": "kubevirt-cpu-node-labeller-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2020-05-04T00:00:00Z"}, {"advisory": "RHEA-2020:2011", "cpe": "cpe:/a:redhat:container_native_virtualization:2.3::el8", "package": "kubevirt-kvm-info-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2020-05-04T00:00:00Z"}], "bugzilla": {"description": "virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets", "id": "1792092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1792092"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-732", "details": ["A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.", "A flaw was found in the KubeVirt main virt-handler regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret."], "mitigation": {"lang": "en:us", "value": "This issue can only be resolved by applying updates.\nMitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-1701", "package_state": [{"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Fix deferred", "package_name": "virt-handler", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "virt-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}], "public_date": "2020-01-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-1701\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1701"], "threat_severity": "Moderate", "upstream_fix": "kubevirt 0.26.0"}