Vulnerability Details : CVE-2020-8553
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
Vulnerability category: File inclusion
Products affected by CVE-2020-8553
- cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8553
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8553
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
0.7
|
5.2
|
Kubernetes | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
0.7
|
5.2
|
NIST |
CWE ids for CVE-2020-8553
-
The product allows user input to control or influence paths or file names that are used in filesystem operations.Assigned by: jordan@liggitt.net (Secondary)
-
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8553
-
https://github.com/kubernetes/ingress-nginx/issues/5126
CVE-2020-8553: auth-type basic annotation vulnerability · Issue #5126 · kubernetes/ingress-nginx · GitHubThird Party Advisory
Jump to