CVE-2020-14306

Name of the Vulnerable Software and Affected Versions openshift-service-mesh/istio-rhel8-operator versions through 1.1.3

Description The issue is related to an incorrect access control flaw in the operator, allowing an attacker with basic access to the cluster to deploy a custom gateway or pod to any namespace. This could potentially grant access to privileged service account tokens, posing a threat to data confidentiality, integrity, and system availability. The flaw is associated with the misuse of privileged APIs, which can be exploited by a remote attacker to elevate privileges and gain unauthorized access to protected information.

Recommendations For versions through 1.1.3, consider restricting access to the openshift-service-mesh/istio-rhel8-operator to minimize the risk of exploitation, and avoid deploying custom gateways or pods to unauthorized namespaces until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.