Improper Access Control Affecting github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress package, versions *
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMOPENSHIFTCLUSTERINGRESSOPERATORPKGOPERATORCONTROLLERINGRESS-1050164
-
published
10 Dec 2020
-
disclosed
10 Dec 2020
-
credit
Unknown
Introduced: 10 Dec 2020
CVE-2020-27836 Open this link in a new tabHow to fix?
Upgrade github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress to version or higher.
Overview
github.com/openshift/cluster-ingress-operator/pkg/operator/controller/ingress is an OpenShift component which enables external access to cluster services by configuring Ingress Controllers, which route traffic as specified by OpenShift Route and Kubernetes Ingress resources.
Affected versions of this package are vulnerable to Improper Access Control. Until the 4.6.6 version of OpenShift Container Platform changes to the router-default service to allow only certain IP source ranges was possible by directly editing the service object. Since 4.6.6 changes to the loadBalancerSourceRanges field are overwritten to the default of all IP ranges. If a cluster is affected by this issue an attacker can use the flaw to access resources which should be restricted to the specified IP ranges.