x/vulndb: potential Go vuln in github.com/maistra/istio-operator: CVE-2020-14306

[tatianab]

CVE-2020-14306 references github.com/maistra/istio-operator, which may be a Go module.

Description:
An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14306
• fix: MAISTRA-1071 Add manifest namespace validation maistra/istio-operator#462
• web: https://bugzilla.redhat.com/show_bug.cgi?id=1850380
• Imported by: https://pkg.go.dev/github.com/maistra/istio-operator?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/maistra/istio-operator
      vulnerable_at: 0.0.0-20231108130611-88c9aa2bf05c
      packages:
        - package: openshift-service-mesh/istio-rhel8-operator
cves:
    - CVE-2020-14306
references:
    - fix: https://github.com/maistra/istio-operator/pull/462
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=1850380

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports