CVE-2021-3948 — Incorrect Default Permissions in Mig-controller

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

6.3MEDIUMNVD

EPSS

0.2%

top 58.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Konveyor Mig-controller Redhat Migration Toolkit

Timeline

PublishedFeb 18

Latest updateFeb 19

Description

An incorrect default permissions vulnerability was found in the mig-controller. Due to an incorrect cluster namespaces handling an attacker may be able to migrate a malicious workload to the target cluster, impacting confidentiality, integrity, and availability of the services located on that cluster.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

▶NVDkonveyor/mig-controller1.6.0 — 1.6.3+1

▶CVEListV5konveyor/mig-controllerkonveyor/mig-controller release-1.5.2, konveyor/mig-controller release-1.6.3

▶NVDredhat/migration_toolkit1.0, 1.5, 1.6+2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-6g8x-w285-c7m5: An incorrect default permissions vulnerability was found in the mig-controller↗2022-02-19

▶

CVEList

CVE-2021-3948: An incorrect default permissions vulnerability was found in the mig-controller↗2022-02-18

▶

📋Vendor Advisories

Red Hat

mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC)↗2021-11-10

▶