Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04OXFtLXdjbXctM21nZ84AAw0u

Gitops Run insecure communication

Impact

GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted.

This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources(e.g. CVE-2022-23508).

Patches

This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022.

Workarounds

There is no workaround for this vulnerability.

References

Disclosed by Paulo Gomes, Senior Software Engineer, Weaveworks.

For more information

If you have any questions or comments about this advisory:

• Open an issue in Weave GitOps repository
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-89qm-wcmw-3mgg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OXFtLXdjbXctM21nZ84AAw0u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 10 months ago

CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-89qm-wcmw-3mgg, CVE-2022-23509
References:

• https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg
• https://nvd.nist.gov/vuln/detail/CVE-2022-23509
• https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967
• https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f
• https://github.com/advisories/GHSA-89qm-wcmw-3mgg

Repository: https://github.com/weaveworks/weave-gitops
Blast Radius: 2.2

Affected Packages