ByteOS Network

NVD Vulnerability Details :

CVE-2020-10706

Modified

Source-secalert@redhat.com

Published At-12 May, 2020 | 14:15

Updated At-12 Feb, 2023 | 23:38

A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.6	MEDIUM	CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary	3.1	6.3	MEDIUM	CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P

Type: Primary

Version: 3.1

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 2.0

Base score: 4.6

Base severity: MEDIUM

Vector:

AV:L/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

Red Hat, Inc.

>>openshift_container_platform>>-

cpe:2.3:a:redhat:openshift_container_platform:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-312	Primary	secalert@redhat.com
CWE-312	Secondary	nvd@nist.gov

CWE ID: CWE-312

Type: Primary

Source: secalert@redhat.com

CWE ID: CWE-312

Type: Secondary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706	secalert@redhat.com	Issue Tracking Vendor Advisory

Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706

Source: secalert@redhat.com

Resource:

Issue Tracking

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History