CVE-2022-23509Sensitive Information Exposure in Weaveworks Weave-gitops

CWE-200Sensitive Information ExposureCWE-319Cleartext Transmission of Sensitive Info4 documents3 sources
Severity
6.0MEDIUMNVD
GHSA7.8OSV7.8
EPSS
0.0%
top 90.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Weaveworks Weave-gitopsWeave GitopsWeaveworks Weave-gitops
Timeline
PublishedJan 9
Latest updateAug 20

Description

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possib

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages3 packages

NVDweave/weave_gitops< 0.12.0
CVEListV5weaveworks/weave-gitops0.11.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Gitops Run insecure communication in github.com/weaveworks/weave-gitops2024-08-20
GHSA
Gitops Run insecure communication2023-01-09
OSV
Gitops Run insecure communication2023-01-09