CVE-2022-31098Log File Information Exposure in Weave-gitops

CWE-532Log File Information ExposureCWE-200Sensitive Information ExposureCWE-209Information Exposure via Error MessageCWE-538Insertion of Sensitive Information into Externally-Accessible File or Directory4 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 39.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Weaveworks Weave-gitopsGithub.com Weaveworks Weave-gitopsWeave Gitops
Timeline
PublishedJun 27
Latest updateAug 21

Description

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive config

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDweave/weave_gitops< 0.8.1+1
CVEListV5weaveworks/weave-gitops< 0.8.1-rc.6

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Weave GitOps leaked cluster credentials into logs on connection errors in github.com/weaveworks/weave-gitops2024-08-21
OSV
Weave GitOps leaked cluster credentials into logs on connection errors2022-06-23
GHSA
Weave GitOps leaked cluster credentials into logs on connection errors2022-06-23