{"containers": {"cna": {"affected": [{"product": "cluster-ingress-operator", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in ose-cluster-ingress-operator-container-v4.6.0-202012161211.p0."}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 - Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-22T14:43:37", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/CVE-2020-27836"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-27836", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cluster-ingress-operator", "version": {"version_data": [{"version_value": "Fixed in ose-cluster-ingress-operator-container-v4.6.0-202012161211.p0."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732 - Incorrect Permission Assignment for Critical Resource"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490"}, {"name": "https://access.redhat.com/security/cve/CVE-2020-27836", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/CVE-2020-27836"}, {"name": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729", "refsource": "MISC", "url": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:25:43.135Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/CVE-2020-27836"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-27836", "datePublished": "2022-08-22T14:43:37", "dateReserved": "2020-10-27T00:00:00", "dateUpdated": "2024-08-04T16:25:43.135Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.."}, {"lang": "es", "value": "Se ha encontrado un fallo en cluster-ingress-operator. Un cambio en la forma en que el servicio de enrutamiento por defecto permite s\u00f3lo determinados rangos de origen de IP podr\u00eda permitir a un atacante acceder a recursos que de otro modo estar\u00edan restringidos a rangos de IP especificados. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema."}], "id": "CVE-2020-27836", "lastModified": "2022-08-24T19:27:41.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-22T15:15:12.800", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2020-27836"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905490"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openshift/cluster-ingress-operator/pull/507/commits/92c83f281ba5fb6a1d91ecc3beaa4bcf2647a729"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:5614", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-cluster-ingress-operator:v4.6.0-202012161211.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-12-21T00:00:00Z"}], "bugzilla": {"description": "cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator", "id": "1906267", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906267"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-732", "details": ["A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..", "A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "Move the allowed IP source ranges from the loadBalancerSourceRanges setting to \"service.beta.kubernetes.io/load-balancer-source-ranges\" annotation. For example: \noc -n openshift-ingress annotate svc/router-default service.beta.kubernetes.io/load-balancer-source-ranges=10.0.0.0/8,192.168.0.0/16"}, "name": "CVE-2020-27836", "public_date": "2020-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-27836\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27836"], "threat_severity": "Important", "upstream_fix": "ose-cluster-ingress-operator-container-v4.6.0 202012161211.p0"}