Vulnerability CVE-2019-12494
Published: 2019-06-05

Description:
In Gardener before 0.20.0, incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurs because traffic from shoot to seed via the VPN endpoint is not blocked.

Type:

CWE-284

 (Improper Access Control)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Gardener -> Gardener 

 References:
https://github.com/gardener/gardener/pull/874
https://github.com/gardener/vpn/issues/40
https://groups.google.com/forum/#!topic/gardener/pH6dNIEhv-A
Copyright 2024, cxsecurity.com

 

Back to Top