Security Advisory

Replicated Classic CVE-2020-10590
If you have any questions please email [email protected]

Replicated Classic CVE-2020-10590

Summary Improperly secured API vulnerability.
Advisory Release Date 11 May 2020 10 AM PDT (Pacific Time, -7 hours)
Product Replicated Classic
Affected Replicated Classic Versions
  • 2.10.0 - 2.32.3
  • 2.33.0 - 2.36.0
  • 2.37.0 - 2.37.1
  • 2.38.0 - 2.38.5
  • 2.39.0 - 2.39.3
  • 2.40.0 - 2.40.3
  • 2.41.0 - 2.41.0
  • 2.42.0 - 2.42.3
Patched Replicated Classic Versions
  • 2.32.4
  • 2.37.2
  • 2.38.6
  • 2.39.4
  • 2.40.4
  • 2.41.1
  • 2.42.4 - 2.42.5
  • 2.43.0 - (all later versions)
CVE ID(s)
  • CVE-2020-10590

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability in the versions of Replicated Classic listed above ("Affected Replicated Classic Versions")

Replicated KOTS is not affected by this vulnerability.

Description

Replicated Classic versions listed above have an improperly secured API that expose sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.

Timeline

This issue was discovered during a security review on 21 March 2020. Patched versions were released on 22 March 2020. This advisory was embargoed until 11 May 2020.

Acknowledgements

Credit for finding and disclosing this vulnerability goes to the security team at HashiCorp.