{"containers": {"cna": {"affected": [{"product": "Conjur OSS Helm Chart", "vendor": "CyberArk", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "descriptions": [{"lang": "en", "value": "In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term \"isolated\" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-22T15:20:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e"}], "source": {"advisory": "GHSA-mg2m-623j-wpxw", "discovery": "UNKNOWN"}, "title": "Improper Access Control in Conjur OSS Helm Chart", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-4062", "STATE": "PUBLIC", "TITLE": "Improper Access Control in Conjur OSS Helm Chart"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Conjur OSS Helm Chart", "version": {"version_data": [{"version_value": "< 2.0.0"}]}}]}, "vendor_name": "CyberArk"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term \"isolated\" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw", "refsource": "CONFIRM", "url": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw"}, {"name": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e", "refsource": "MISC", "url": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e"}]}, "source": {"advisory": "GHSA-mg2m-623j-wpxw", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:52:20.924Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-4062", "datePublished": "2020-06-22T15:20:16", "dateReserved": "2019-12-30T00:00:00", "dateUpdated": "2024-08-04T07:52:20.924Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyberark:conjur_oss_helm_chart:*:*:*:*:*:*:*:*", "matchCriteriaId": "885557BF-E079-4340-8530-E0A192421AF2", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term \"isolated\" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC)."}, {"lang": "es", "value": "En Conjur OSS Helm Chart versiones anteriores a 2.0.0, una vulnerabilidad cr\u00edtica recientemente identificada result\u00f3 en la instalaci\u00f3n de la base de datos de Conjur Postgres con un puerto abierto. Esto permite a un atacante conseguir acceso completo de lectura y escritura a la base de datos de Conjur Postgres, incluyendo el aumento de los privilegios del atacante para asumir el control total. Un actor malicioso que conoce la direcci\u00f3n IP y el n\u00famero de puerto de la base de datos de Postgres y tiene acceso al cl\u00faster de Kubernetes donde se ejecuta Conjur puede conseguir acceso completo de lectura y escritura a la base de datos de Postgres. Esto permite al atacante escribir una pol\u00edtica que permita el acceso total para recuperar cualquier secreto. Este Helm chart es un m\u00e9todo para instalar Conjur OSS en un entorno Kubernetes. Por lo tanto, los sistemas afectados son solo sistemas Conjur OSS que se implementaron usando este gr\u00e1fico. Otras implementaciones, incluidas Docker y CyberArk Dynamic Access Provider (DAP), no est\u00e1n afectadas. Para remediar esta vulnerabilidad, clone el \u00faltimo Helm Chart y siga las instrucciones de actualizaci\u00f3n. Si no es capaz de remediar completamente esta vulnerabilidad de inmediato, puede mitigar algunos de los riesgos asegur\u00e1ndose de que Conjur OSS se implemente en un cl\u00faster o espacio de nombres Kubernetes aislado. El t\u00e9rmino \"isolated\" se refiere a: - No se est\u00e1n ejecutando otras cargas de trabajo adem\u00e1s de Conjur OSS y su base de datos de backend en ese cl\u00faster y espacio de nombres de Kubernetes. - El acceso de Kubernetes y helm al cl\u00faster y espacio de nombres est\u00e1 limitado a los administradores de seguridad por medio del Control de Acceso basado en Roles (RBAC)"}], "id": "CVE-2020-4062", "lastModified": "2024-11-21T05:32:14.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.7, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-22T16:15:11.650", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}