Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with…
Tigera·CWE-20·Published 2022-06-06
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Los clústeres usando Calico (versiones 3.22.1 y anteriores), Calico Enterprise (versiones 3.12.0 y anteriores), pueden ser vulnerables al secuestro de rutas con la función de IP flotante. Debido a una comprobación insuficiente, un atacante privilegiado puede ser capaz de establecer una anotación de IP flotante a un pod incluso si la característica no está habilitada. Esto puede permitir al atacante interceptar y redirigir el tráfico a su pod comprometido
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.5 | 8.0 | 4.9 | AV:N/AC:L/Au:S/C:N/I:P/A:P |
| 3.1 | Primary | cve.org | 5.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |
| 3.1 | Primary | cve.org | 5.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |
| 3.1 | Primary | NVD | 5.5 | 1.2 | 4.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |
| 3.1 | Secondary | GHSA | 5.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |
| 3.1 | Secondary | NVD | 5.5 | 1.2 | 4.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |