Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-3495

An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Published

2021-06-01T14:15:10.303

Last Modified

2024-11-21T06:21:40.747

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-281

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netlify	kiali-operator	< 1.24.7	Yes
Application	netlify	kiali-operator	< 1.33.0	Yes
Application	redhat	openshift_service_mesh	1.0	Yes
Application	redhat	openshift_service_mesh	2.0	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1947361 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://kiali.io/news/security-bulletins/kiali-security-003/ Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1947361 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://kiali.io/news/security-bulletins/kiali-security-003/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)