CVE-2020-13597

Summary

Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

Affected Software

VendorProductVersion RangeStatus
Tigera IncCalico3.14.0affected
Tigera IncCalicounspecified <= 3.13.3affected
Tigera IncCalicounspecified <= 3.12.1affected
Tigera IncCalicounspecified <= 3.11.2affected
Tigera IncCalicounspecified <= 3.10.3affected
Tigera IncCalicounspecified <= 3.9.5affected
Tigera IncCalicounspecified <= 3.8.8affected
Tigera IncCalico3.7.xaffected
Tigera IncCalico3.6.xaffected
Tigera IncCalico3.5.xaffected
Tigera IncCalico3.4.xaffected
Tigera IncCalico3.3.xaffected
Tigera IncCalico3.2.xaffected
Tigera IncCalico3.1.xaffected
Tigera IncCalico3.0.xaffected
Tigera IncCalico2.6.xaffected
Tigera IncCalico2.5.xaffected
Tigera IncCalico2.4.xaffected
Tigera IncCalico2.3.xaffected
Tigera IncCalico2.2.xaffected
Tigera IncCalico2.1.xaffected
Tigera IncCalico2.0.xaffected
Tigera IncCalico1.6.xaffected
Tigera IncCalico1.5.xaffected
Tigera IncCalico Enterpriseunspecified <= 2.8.2affected
Tigera IncCalico Enterpriseunspecified <= 2.7.4affected
Tigera IncCalico Enterpriseunspecified <= 2.6.2affected
Tigera IncCalico Enterprise2.5.xaffected
Tigera IncCalico Enterprise2.4.xaffected
Tigera IncCalico Enterprise2.3.xaffected
Tigera IncCalico Enterprise2.2.xaffected
Tigera IncCalico Enterprise2.1.xaffected
Tigera IncCalico Enterprise2.0.xaffected

Weaknesses

  • CWE-201: CWE-201 Information Exposure Through Sent Data

ADP Enrichment

CVE Program Container

Additional References

References