Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Lens by Mirantis
CVE-2021-44458 (GCVE-0-2021-44458)
Vulnerability from nvd – Published: 2022-01-10 15:05 – Updated: 2024-08-04 04:25
VLAI
Title
Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website
Summary
Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim's browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.
Severity
8.3 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mirantis/security/blob/main/ad… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "Lens",
"vendor": "Mirantis",
"versions": [
{
"lessThanOrEqual": "5.2.6",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim\u0027s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:05:44.000Z",
"orgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"shortName": "Mirantis"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
],
"source": {
"advisory": "0001",
"discovery": "INTERNAL"
},
"title": "Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mirantis.com",
"ID": "CVE-2021-44458",
"STATE": "PUBLIC",
"TITLE": "Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lens",
"version": {
"version_data": [
{
"platform": "Linux",
"version_affected": "\u003c=",
"version_name": "5.2",
"version_value": "5.2.6"
}
]
}
}
]
},
"vendor_name": "Mirantis"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim\u0027s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Mirantis/security/blob/main/advisories/0001.md",
"refsource": "MISC",
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
]
},
"source": {
"advisory": "0001",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"assignerShortName": "Mirantis",
"cveId": "CVE-2021-44458",
"datePublished": "2022-01-10T15:05:44.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:25:16.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23154 (GCVE-0-2021-23154)
Vulnerability from nvd – Published: 2022-01-10 15:05 – Updated: 2024-08-03 18:58
VLAI
Title
Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided
Summary
In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.
Severity
6.3 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mirantis/security/blob/main/ad… | x_refsource_MISC |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lens",
"vendor": "Mirantis",
"versions": [
{
"lessThanOrEqual": "5.3.3",
"status": "affected",
"version": "5.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eren Karahasan (locomoco.dev@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user\u0027s shell. Arguments can be provided which cause arbitrary shell commands to run on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:05:45.000Z",
"orgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"shortName": "Mirantis"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
],
"source": {
"advisory": "0003",
"discovery": "UNKNOWN"
},
"title": "Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mirantis.com",
"ID": "CVE-2021-23154",
"STATE": "PUBLIC",
"TITLE": "Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lens",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.3",
"version_value": "5.3.3"
}
]
}
}
]
},
"vendor_name": "Mirantis"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eren Karahasan (locomoco.dev@gmail.com)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user\u0027s shell. Arguments can be provided which cause arbitrary shell commands to run on the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Mirantis/security/blob/main/advisories/0003.md",
"refsource": "MISC",
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
]
},
"source": {
"advisory": "0003",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"assignerShortName": "Mirantis",
"cveId": "CVE-2021-23154",
"datePublished": "2022-01-10T15:05:45.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:58:26.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23154 (GCVE-0-2021-23154)
Vulnerability from cvelistv5 – Published: 2022-01-10 15:05 – Updated: 2024-08-03 18:58
VLAI
Title
Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided
Summary
In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.
Severity
6.3 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mirantis/security/blob/main/ad… | x_refsource_MISC |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lens",
"vendor": "Mirantis",
"versions": [
{
"lessThanOrEqual": "5.3.3",
"status": "affected",
"version": "5.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eren Karahasan (locomoco.dev@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user\u0027s shell. Arguments can be provided which cause arbitrary shell commands to run on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:05:45.000Z",
"orgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"shortName": "Mirantis"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
],
"source": {
"advisory": "0003",
"discovery": "UNKNOWN"
},
"title": "Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mirantis.com",
"ID": "CVE-2021-23154",
"STATE": "PUBLIC",
"TITLE": "Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lens",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.3",
"version_value": "5.3.3"
}
]
}
}
]
},
"vendor_name": "Mirantis"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eren Karahasan (locomoco.dev@gmail.com)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user\u0027s shell. Arguments can be provided which cause arbitrary shell commands to run on the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Mirantis/security/blob/main/advisories/0003.md",
"refsource": "MISC",
"url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
}
]
},
"source": {
"advisory": "0003",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"assignerShortName": "Mirantis",
"cveId": "CVE-2021-23154",
"datePublished": "2022-01-10T15:05:45.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:58:26.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44458 (GCVE-0-2021-44458)
Vulnerability from cvelistv5 – Published: 2022-01-10 15:05 – Updated: 2024-08-04 04:25
VLAI
Title
Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website
Summary
Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim's browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.
Severity
8.3 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mirantis/security/blob/main/ad… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "Lens",
"vendor": "Mirantis",
"versions": [
{
"lessThanOrEqual": "5.2.6",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim\u0027s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:05:44.000Z",
"orgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"shortName": "Mirantis"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
],
"source": {
"advisory": "0001",
"discovery": "INTERNAL"
},
"title": "Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mirantis.com",
"ID": "CVE-2021-44458",
"STATE": "PUBLIC",
"TITLE": "Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lens",
"version": {
"version_data": [
{
"platform": "Linux",
"version_affected": "\u003c=",
"version_name": "5.2",
"version_value": "5.2.6"
}
]
}
}
]
},
"vendor_name": "Mirantis"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim\u0027s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Mirantis/security/blob/main/advisories/0001.md",
"refsource": "MISC",
"url": "https://github.com/Mirantis/security/blob/main/advisories/0001.md"
}
]
},
"source": {
"advisory": "0001",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ac17a704-eccd-4263-a802-5cee95c1d547",
"assignerShortName": "Mirantis",
"cveId": "CVE-2021-44458",
"datePublished": "2022-01-10T15:05:44.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:25:16.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}