Description
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Affected products
- Red Hat / containernetworking/pluginsall containernetworking/plugins versions before version 0.8.6 – all containernetworking/plugins versions before version 0.8.6
References
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749
- MISChttps://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC/