CVE-2020-8029 - Vulnerability Details - OpenCVE

Description

A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key. This issue affects: SUSE CaaS Platform 4.5 skuba versions prior to https://github.com/SUSE/skuba/pull/1416.

Published: 2021-02-11

Score: 2.9 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SUSE

SUSE CaaS Platform 4.5

affected

Version	Status	Constraints
`skuba`	affected	< https://github.com/SUSE/skuba/pull/1416

Configuration 1 [-]

cpe:2.3:a:suse:caas_platform:4.5:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-28941	A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key. This issue affects: SUSE CaaS Platform 4.5 skuba versions prior to https://github.com/SUSE/skuba/pull/1416.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0011.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=1177362

History

No history.

Subscriptions

Suse Caas Platform

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2021-02-11T16:00:20.422Z

Updated: 2024-09-16T18:33:16.586Z

Reserved: 2020-01-27T00:00:00.000Z

Link: CVE-2020-8029

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-11T16:15:12.883

Modified: 2024-11-21T05:38:15.193

Link: CVE-2020-8029

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-732

{"containers": {"cna": {"affected": [{"product": "SUSE CaaS Platform 4.5", "vendor": "SUSE", "versions": [{"lessThan": "https://github.com/SUSE/skuba/pull/1416", "status": "affected", "version": "skuba", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Johannes Segitz of SUSE"}], "datePublic": "2020-11-23T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key. This issue affects: SUSE CaaS Platform 4.5 skuba versions prior to https://github.com/SUSE/skuba/pull/1416."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-11T16:00:20.000Z", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1177362"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1177362", "defect": ["1177362"], "discovery": "INTERNAL"}, "title": "skuba: Insecure handling of private key", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2020-11-23T00:00:00.000Z", "ID": "CVE-2020-8029", "STATE": "PUBLIC", "TITLE": "skuba: Insecure handling of private key"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SUSE CaaS Platform 4.5", "version": {"version_data": [{"version_affected": "<", "version_name": "skuba", "version_value": "https://github.com/SUSE/skuba/pull/1416"}]}}]}, "vendor_name": "SUSE"}]}}, "credit": [{"lang": "eng", "value": "Johannes Segitz of SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key. This issue affects: SUSE CaaS Platform 4.5 skuba versions prior to https://github.com/SUSE/skuba/pull/1416."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1177362", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1177362"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1177362", "defect": ["1177362"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.210Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1177362"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2020-8029", "datePublished": "2021-02-11T16:00:20.422Z", "dateReserved": "2020-01-27T00:00:00.000Z", "dateUpdated": "2024-09-16T18:33:16.586Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:caas_platform:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "E2FE9676-8FCA-4045-BC6F-85C80F730CD1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key. This issue affects: SUSE CaaS Platform 4.5 skuba versions prior to https://github.com/SUSE/skuba/pull/1416."}, {"lang": "es", "value": "Una vulnerabilidad Asignaci\u00f3n Incorrecta de Permisos para Recursos Cr\u00edticos en skuba de SUSE CaaS Platform versi\u00f3n 4.5, permite a atacantes locales obtener acceso a la clave de kublet. Este problema afecta a: skuba de SUSE CaaS Platform versi\u00f3n 4.5 anterior a https://github.com/SUSE/skuba/pull/1416"}], "id": "CVE-2020-8029", "lastModified": "2024-11-21T05:38:15.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "meissner@suse.de", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-11T16:15:12.883", "references": [{"source": "meissner@suse.de", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1177362"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1177362"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "meissner@suse.de", "type": "Secondary"}]}