Insecure Permissions Affecting github.com/openshift/machine-config-operator/pkg/server package, versions *
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENSHIFTMACHINECONFIGOPERATORPKGSERVER-1059094
- published 12 Jan 2021
- disclosed 5 Nov 2020
- credit Unknown
Introduced: 5 Nov 2020
CVE-2020-35514 Open this link in a new tabHow to fix?
There is no fixed version for github.com/openshift/machine-config-operator/pkg/server
.
Overview
github.com/openshift/machine-config-operator/pkg/server is an OpenShift 4 is an operator-focused platform, and the Machine Config operator extends that to the operating system itself, managing updates and configuration changes to essentially everything between the kernel and kubelet.
Affected versions of this package are vulnerable to Insecure Permissions via the /etc/kubernetes/kubeconfig
file. An attacker with access to a running container which mounts /etc/kubernetes
or has local access to the node, may copy this kubeconfig
file and attempt to add their own node to the OpenShift cluster.