Github.Com Weaveworks Weave-Gitops vulnerabilities

CVE-2022-23509 [HIGH] CWE-200 Gitops Run insecure communication Gitops Run insecure communication ### Impact GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content

CVE-2022-23508 [HIGH] CWE-284 GitOps Run allows for Kubernetes workload injection GitOps Run allows for Kubernetes workload injection ### Impact A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorised access, therefore allowing local users (and processes) on th

CVE-2022-31098 [CRITICAL] CWE-200 Weave GitOps leaked cluster credentials into logs on connection errors Weave GitOps leaked cluster credentials into logs on connection errors ### Impact A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remot