Replicated Classic CVE-2020-10590
If you have any questions please email [email protected]
|Summary||Improperly secured API vulnerability.|
|Advisory Release Date||11 May 2020 10 AM PDT (Pacific Time, -7 hours)|
|Affected Replicated Classic Versions||
|Patched Replicated Classic Versions||
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in the versions of Replicated Classic listed above ("Affected Replicated Classic Versions")
Replicated KOTS is not affected by this vulnerability.
Replicated Classic versions listed above have an improperly secured API that expose sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.
This issue was discovered during a security review on 21 March 2020. Patched versions were released on 22 March 2020. This advisory was embargoed until 11 May 2020.
Credit for finding and disclosing this vulnerability goes to the security team at HashiCorp.