CVE-2020-13597
MEDIUMCalico < 2.6.2, < 3.8.8, 3.14.0 - Information Disclosure via IPv6 Route Advertisement
Title source: llmDescription
Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.projectcalico.org/security-bulletins/
Mailing List x_refsource_confirm
https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/91507
Scores
CVSS v3
6.0
EPSS
0.0090
EPSS Percentile
54.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Details
CWE
CWE-201
CWE-200
Status
published
Products (4)
projectcalico/calico
3.14.0
projectcalico/calico
< 2.6.2
projectcalico/calico
< 3.8.8
projectcalico/calico
3.14.0 - 3.14.1Go
Published
Jun 03, 2020
Tracked Since
Feb 18, 2026