CVE-2021-27098
published 2021-03-05CVE-2021-27098: In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy…
PriorityP346high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.56%
42.3th percentile
In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cncf | spire | >= 0.10.0 < 0.10.2 | 0.10.2 |
| cncf | spire | >= 0.11.0 < 0.11.3 | 0.11.3 |
| cncf | spire | >= 0.12.0 < 0.12.1 | 0.12.1 |
| cncf | spire | 0.8.1 – 0.8.4 | — |
| cncf | spire | >= 0.9.0 < 0.9.4 | 0.9.4 |
| github.com | spiffe_spire | >= 0.10.0 < 0.10.2 | 0.10.2 |
| github.com | spiffe_spire | >= 0.11.0 < 0.11.3 | 0.11.3 |
| github.com | spiffe_spire | >= 0.12.0 < 0.12.1 | 0.12.1 |
| github.com | spiffe_spire | >= 0.8.1 < 0.8.5 | 0.8.5 |
| github.com | spiffe_spire | >= 0.9.0 < 0.9.4 | 0.9.4 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
osv·2021-05-21
CVE-2021-27098 [HIGH] Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
#### Summary
In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API (github.com/spiffe/spire/pkg/server/endpoints/node) can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3
GHSA
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
ghsa·2021-05-21
CVE-2021-27098 [HIGH] CWE-284 Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
#### Summary
In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API (github.com/spiffe/spire/pkg/server/endpoints/node) can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-05
Published