Moderate severityNVD Advisory· Published Jun 3, 2020· Updated Sep 16, 2024
Calico nodes IPv6 traffic redirection from route advertisment
CVE-2020-13597
Description
Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/projectcalico/calicoGo | >= 3.14.0, < 3.14.1 | 3.14.1 |
github.com/projectcalico/calicoGo | >= 3.13.0, < 3.13.4 | 3.13.4 |
github.com/projectcalico/calicoGo | >= 3.12.0, < 3.12.2 | 3.12.2 |
github.com/projectcalico/calicoGo | >= 3.11.0, < 3.11.3 | 3.11.3 |
github.com/projectcalico/calicoGo | >= 3.10.0, < 3.10.4 | 3.10.4 |
github.com/projectcalico/calicoGo | >= 3.9.0, < 3.9.6 | 3.9.6 |
github.com/projectcalico/calicoGo | < 3.8.9 | 3.8.9 |
Affected products
1- Range: 3.14.0
Patches
1ad10b6fa91aaMerge pull request #484 from squeed/disable-ra
2 files changed · +11 −2
pkg/ip/link_linux.go+7 −2 modified@@ -21,10 +21,12 @@ import ( "net" "os" - "github.com/containernetworking/plugins/pkg/ns" - "github.com/containernetworking/plugins/pkg/utils/hwaddr" "github.com/safchain/ethtool" "github.com/vishvananda/netlink" + + "github.com/containernetworking/plugins/pkg/ns" + "github.com/containernetworking/plugins/pkg/utils/hwaddr" + "github.com/containernetworking/plugins/pkg/utils/sysctl" ) var ( @@ -158,6 +160,9 @@ func SetupVethWithName(contVethName, hostVethName string, mtu int, hostNS ns.Net if err = netlink.LinkSetUp(hostVeth); err != nil { return fmt.Errorf("failed to set %q up: %v", hostVethName, err) } + + // we want to own the routes for this interface + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", hostVethName), "0") return nil }) if err != nil {
plugins/main/bridge/bridge.go+4 −0 modified@@ -36,6 +36,7 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/containernetworking/plugins/pkg/utils" bv "github.com/containernetworking/plugins/pkg/utils/buildversion" + "github.com/containernetworking/plugins/pkg/utils/sysctl" ) // For testcases to force an error after IPAM has been performed @@ -248,6 +249,9 @@ func ensureBridge(brName string, mtu int, promiscMode, vlanFiltering bool) (*net return nil, err } + // we want to own the routes for this interface + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", brName), "0") + if err := netlink.LinkSetUp(br); err != nil { return nil, err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-pf59-j7c2-rh6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13597ghsaADVISORY
- github.com/containernetworking/plugins/commit/ad10b6fa91aacd720f1f9ab94341a97a82a24965ghsaWEB
- github.com/containernetworking/plugins/pull/484ghsaWEB
- github.com/kubernetes/kubernetes/issues/91507ghsax_refsource_CONFIRMWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_CONFIRM
- www.projectcalico.org/security-bulletinsghsaWEB
- www.projectcalico.org/security-bulletins/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.