Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW12NTUtMjN4cC0zd3A4
Access control flaw in Kiali
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Permalink: https://github.com/advisories/GHSA-mv55-23xp-3wp8JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW12NTUtMjN4cC0zd3A4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-mv55-23xp-3wp8, CVE-2021-3495
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3495
- https://github.com/kiali/kiali-operator/pull/278
- https://bugzilla.redhat.com/show_bug.cgi?id=1947361
- https://kiali.io/news/security-bulletins/kiali-security-003/
- https://github.com/advisories/GHSA-mv55-23xp-3wp8
Blast Radius: 8.4
Affected Packages
go:github.com/kiali/kiali
Dependent packages: 19Dependent repositories: 9
Downloads:
Affected Version Ranges: < 1.33.0
Fixed in: 1.33.0
All affected versions: 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.21.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.13.0, 1.13.1, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.24.7, 1.24.8, 1.24.9, 1.24.17, 1.25.0, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.32.0
All unaffected versions: 1.33.0, 1.33.1, 1.34.0, 1.34.1, 1.35.0, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.36.4, 1.36.5, 1.36.6, 1.36.7, 1.36.8, 1.36.9, 1.36.13, 1.36.14, 1.36.15, 1.36.16, 1.37.0, 1.38.0, 1.38.1, 1.39.0, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.43.0, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.47.0, 1.48.0, 1.48.1, 1.48.2, 1.48.3, 1.48.4, 1.48.5, 1.48.6, 1.48.7, 1.48.8, 1.48.9, 1.48.10, 1.48.11, 1.49.0, 1.50.0, 1.50.1, 1.51.0, 1.51.1, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1, 1.56.0, 1.56.1, 1.57.0, 1.57.1, 1.57.2, 1.57.3, 1.57.4, 1.57.5, 1.57.6, 1.57.7, 1.57.8, 1.57.9, 1.57.10, 1.57.11, 1.57.12, 1.57.13, 1.57.14, 1.58.0, 1.59.0, 1.59.1, 1.60.0, 1.61.0, 1.62.0, 1.62.1, 1.63.0, 1.63.1, 1.63.2, 1.64.0, 1.65.0, 1.65.1, 1.65.2, 1.65.3, 1.65.4, 1.65.5, 1.65.6, 1.65.7, 1.65.8, 1.65.9, 1.65.10, 1.65.11, 1.66.0, 1.66.1, 1.66.2, 1.67.0, 1.67.1, 1.67.2, 1.68.0, 1.69.0, 1.70.0, 1.71.0, 1.72.0, 1.73.0, 1.73.1, 1.73.2, 1.73.3, 1.73.4, 1.73.5, 1.73.6, 1.73.7, 1.74.0, 1.74.1, 1.75.0, 1.75.1, 1.76.0, 1.76.1, 1.77.0, 1.77.1, 1.78.0, 1.79.0, 1.80.0, 1.81.0, 1.82.0, 1.82.1, 1.83.0