Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-27846

Опубликовано: 17 дек. 2020
Источник: redhat
CVSS3: 9.8
EPSS Средний

Описание

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Отчет

Grafana in the OpenShift Container Platform (OCP) and OpenShift ServiceMesh) uses oauth-proxy as an Auth Proxy, and therefore does not make use of the vulnerable SAML Authentication in the github.com/crewjam/saml module used by Grafana. Additionally, SAML is only available in the enterprise version of grafana, but as the code is still packaged, it has been marked Low impact. Red Hat Gluster Storage 3, Red Hat Ceph Storage 2, 3 and 4 ships old versions of grafana where ‘crewjam/saml’ module is not included. Therefore these products are not affected by this vulnerability. grafana as shipped with Red Hat Enterprise Linux 8 packages a vulnerable version of crewjam/saml but does not use it, as SAML is only available for the Enterprise version of grafana. For this reason, this flaw has been marked Low impact.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1servicemesh-grafanaOut of support scope
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
Red Hat 3scale API Management Platform 23scale-operator-containerNot affected
Red Hat Ceph Storage 2grafanaNot affected
Red Hat Ceph Storage 3grafanaNot affected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Not affected
Red Hat Enterprise Linux 9grafanaNot affected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaFix deferred
Red Hat Storage 3grafanaNot affected
Red Hat Enterprise Linux 8grafanaFixedRHSA-2021:185918.05.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-115
https://bugzilla.redhat.com/show_bug.cgi?id=1907670crewjam/saml: authentication bypass in saml authentication

EPSS

Процентиль: 94%
0.15345
Средний

9.8 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-27846

CVSS3: 9.8
nvd
больше 4 лет назад

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

github логотип

GHSA-4hq8-gmxx-h6w9

CVSS3: 9.8
github
почти 4 года назад

XML Processing error in github.com/crewjam/saml

oracle-oval логотип

ELSA-2021-1859

oracle-oval
около 4 лет назад

ELSA-2021-1859: grafana security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 94%
0.15345
Средний

9.8 Critical

CVSS3