CVE-2021-3495

Опубликовано: 01 июн. 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=1947361
Issue Tracking
Patch
Third Party Advisory
https://kiali.io/news/security-bulletins/kiali-security-003/
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1947361
Issue Tracking
Patch
Third Party Advisory
https://kiali.io/news/security-bulletins/kiali-security-003/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*

Версия до 1.24.7 (исключая)

cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*

Версия от 1.30.0 (включая) до 1.33.0 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_service_mesh:2.0:*:*:*:*:*:*:*

EPSS

Процентиль: 56%

0.00339

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-281

Связанные уязвимости

CVE-2021-3495

CVSS3: 8.8

redhat

больше 4 лет назад

GHSA-mv55-23xp-3wp8

CVSS3: 8.8

github

больше 4 лет назад

Access control flaw in Kiali

EPSS

Процентиль: 56%

0.00339

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-281