Описание
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
A command injection flaw was found in Hashicorp's Consul script check configuration option. If the API is enabled and exposed through a public interface, it is possible to achieve remote code execution.
Меры по смягчению последствий
To mitigate this issue, the '-enable-script-checks' option must be removed to disable the vulnerable component. It's also possible to limit exploitability by using the '-enable-local-script-checks' option to restrict the vulnerable option to only local checks and/or by binding the API to a loopback interface.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8 | Not affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-rhel8-operator | Not affected | ||
| mirror registry for Red Hat OpenShift | mirror-registry-container | Affected | ||
| OpenShift API for Data Protection | oadp/oadp-kubevirt-velero-plugin-rhel8 | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-mustgather-rhel8 | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-rhel8-operator | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-velero-plugin-for-aws-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
Patch in third party library Consul requires 'enable-script-checks' to ...
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
EPSS
8.1 High
CVSS3