All the vulnerabilites related to netlify - kiali-operator
cve-2021-3495
Vulnerability from cvelistv5
Published
2021-06-01 13:31
Modified
2024-08-03 16:53
Severity ?
EPSS score ?
Summary
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1947361 | x_refsource_MISC | |
| https://kiali.io/news/security-bulletins/kiali-security-003/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | kiali/kiali-operator |
Version: kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kiali/kiali-operator",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T13:31:32",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3495",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kiali/kiali-operator",
"version": {
"version_data": [
{
"version_value": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-281"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
},
{
"name": "https://kiali.io/news/security-bulletins/kiali-security-003/",
"refsource": "MISC",
"url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3495",
"datePublished": "2021-06-01T13:31:32",
"dateReserved": "2021-04-12T00:00:00",
"dateUpdated": "2024-08-03T16:53:17.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-06-01 14:15
Modified
2024-11-21 06:21
Severity ?
Summary
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1947361 | Issue Tracking, Patch, Third Party Advisory | |
| secalert@redhat.com | https://kiali.io/news/security-bulletins/kiali-security-003/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1947361 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kiali.io/news/security-bulletins/kiali-security-003/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| netlify | kiali-operator | * | |
| netlify | kiali-operator | * | |
| redhat | openshift_service_mesh | 1.0 | |
| redhat | openshift_service_mesh | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90113227-7E7E-4EC8-8B91-B12D9A3663CF",
"versionEndExcluding": "1.24.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6932F64F-0CC7-40CA-BEBF-6658DABC6E80",
"versionEndExcluding": "1.33.0",
"versionStartIncluding": "1.30.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A76A2BCE-4AAE-46D7-93D6-2EDE0FC83145",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un fallo de control de acceso incorrecto en kiali-operator en versiones anteriores a 1.33.0 y versiones anteriores a 1.24.7. este fallo permite a un atacante con un nivel b\u00e1sico de acceso al cl\u00faster (para implementar un operando kiali) usar esta vulnerabilidad e implementar una imagen determinada en cualquier lugar del cl\u00faster, potencialmente consiguiendo acceso a tokens de cuentas de servicio privilegiadas. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema"
}
],
"id": "CVE-2021-3495",
"lastModified": "2024-11-21T06:21:40.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T14:15:10.303",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://kiali.io/news/security-bulletins/kiali-security-003/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}