GHSA-pv22-fqcj-7xwh

Опубликовано: 06 мая 2025

Источник: github

Github: Прошло ревью

CVSS3: 6.7

Описание

Inspektor Gadget Security Policies Can be Bypassed

Security policies like allowed-gadgets, disallow-pulling, verify-image can be bypassed by a malicious client.

Impact

Users running ig in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the ig daemon case or access to the cluster in the Kubernetes case.

Patches

The issue has been fixed in v0.40.0

Workarounds

There is not known workaround to fix it.

Ссылки

https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh
https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b
https://pkg.go.dev/vuln/GO-2025-3665

Пакеты

Наименование

github.com/inspektor-gadget/inspektor-gadget

Затронутые версииВерсия исправления

>= 0.31.0, < 0.40.0

0.40.0

6.7 Medium

CVSS3

Дефекты

CWE-285

6.7 Medium

CVSS3

Дефекты

CWE-285