Replicated Classic CVE-2020-10590

SummaryImproperly secured API vulnerability.
Advisory Release Date11 May 2020 10 AM PDT (Pacific Time, -7 hours)
ProductReplicated Classic
Affected Replicated Classic Versions
  • 2.10.0 – 2.32.3
  • 2.33.0 – 2.36.0
  • 2.37.0 – 2.37.1
  • 2.38.0 – 2.38.5
  • 2.39.0 – 2.39.3
  • 2.40.0 – 2.40.3
  • 2.41.0 – 2.41.0
  • 2.42.0 – 2.42.3
Patched Replicated Classic Versions
  • 2.32.4
  • 2.37.2
  • 2.38.6
  • 2.39.4
  • 2.40.4
  • 2.41.1
  • 2.42.4 – 2.42.5
  • 2.43.0 – (all later versions)
CVE ID(s)
  • CVE-2020-10590
Replicated KOTS is not affected by this vulnerability.

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability in the versions of Replicated Classic listed above (“Affected Replicated Classic Versions”)

Description

Replicated Classic versions listed above have an improperly secured API that expose sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.

Timeline

This issue was discovered during a security review on 21 March 2020.
Patched versions were released on 22 March 2020.
This advisory was embargoed until 11 May 2020.

Acknowledgements

Credit for finding and disclosing this vulnerability goes to the security team at HashiCorp.