Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-10749 |
CWE-ID | CWE-345 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
CNI Plugins Server applications / Other server solutions |
Vendor | CNI |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU31794
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-10749
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a man-in-the-Middle attack.
The vulnerability exists due to insufficient verification of data authenticity in CNI plugins when processing IPV6 router advertisements. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCNI Plugins: 0.1.0 - 0.8.5
External linkshttp://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749
http://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.