Main Vulnerability Database Vulnerabilities #VU31794

#VU31794 Insufficient verification of data authenticity in CNI Plugins - CVE-2020-10749

Published: July 24, 2020 / Updated: July 24, 2020

Vulnerability identifier: #VU31794

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2020-10749

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
CNI Plugins

Software vendor:
CNI

Description

The vulnerability allows a remote attacker to perform a man-in-the-Middle attack.

The vulnerability exists due to insufficient verification of data authenticity in CNI plugins when processing IPV6 router advertisements. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749
https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8

#VU31794 Insufficient verification of data authenticity in CNI Plugins - CVE-2020-10749

Description

Remediation

External links

Please verify you're human