Strix
26.1K

CVE-2020-8664

MEDIUMCVSS 5.3/10EPSS 1.30%

Last modified

CVE-2020-8664 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. EPSS estimates a 1.30% chance of exploitation in the next 30 days.

Description

CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
1.30%

66.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CncfEnvoy<= 1.13.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-8664?
CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
How severe is CVE-2020-8664?
CVE-2020-8664 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.30% probability of exploitation in the next 30 days.
How do I fix CVE-2020-8664?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-8664?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST