CVE-2019-12494

In Gardener before 0.20.0, incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurs because traffic from shoot to seed via the VPN endpoint is not blocked.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
mitreCNA
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
gardenergardener
𝑥
< 0.20.0
𝑥
= Vulnerable software versions
References
https://github.com/gardener/gardener/pull/874
https://github.com/gardener/vpn/issues/40
https://groups.google.com/forum/#%21topic/gardener/pH6dNIEhv-A
https://github.com/gardener/gardener/pull/874
https://github.com/gardener/vpn/issues/40
https://groups.google.com/forum/#%21topic/gardener/pH6dNIEhv-A