PT-2020-17330 · Weave · Weave Cloud Agent

Published

2020-12-15

Updated

2020-12-17

CVE-2020-35464

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Weave Cloud Agent version 1.3.0

Description The Weave Cloud Agent Docker image contains a blank password for the root user, which may allow a remote attacker to achieve root access. This issue affects systems deployed using the affected version of the Weave Cloud Agent container.

Recommendations For version 1.3.0, update the Docker image to a version where the root user password is properly set, ensuring that remote access to the root account is secured with a strong password. As a temporary workaround, consider changing the root user password to a secure value to prevent unauthorized access.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2020-35464

Affected Products

Weave Cloud Agent

PT-2020-17330 · Weave · Weave Cloud Agent

CVE-2020-35464

Weakness Enumeration

Related Identifiers

Affected Products

References · 5