Описание
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
Ссылки
Пакеты
Наименование
github.com/chaos-mesh/chaos-mesh
go
Затронутые версииВерсия исправления
< 2.7.3
2.7.3
Связанные уязвимости
CVSS3: 7.5
nvd
5 месяцев назад
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.