CVE-2022-23508Improper Access Control in Weaveworks Weave-gitops

CWE-284Improper Access ControlCWE-538Insertion of Sensitive Information into Externally-Accessible File or DirectoryCWE-552Files or Directories Accessible to External PartiesCWE-200Sensitive Information ExposureCWE-319Cleartext Transmission of Sensitive Info6 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 83.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Weaveworks Weave-gitopsWeave GitopsWeaveworks Weave-gitops
Timeline
PublishedJan 9
Latest updateAug 20

Description

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorized access, therefore allowing local users (and processes) on the same

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5weaveworks/weave-gitops0.11.0
NVDweave/weave_gitops< 0.12.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
GitOps Run allows for Kubernetes workload injection in github.com/weaveworks/weave-gitops2024-08-20
GHSA
Gitops Run insecure communication2023-01-09
GHSA
GitOps Run allows for Kubernetes workload injection2023-01-09
OSV
GitOps Run allows for Kubernetes workload injection2023-01-09
OSV
Gitops Run insecure communication2023-01-09