CVE-2021-3495

EPSS 0.34%
Published 01.06.2021 14:15:10
Last modified 21.11.2024 06:21:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Netlify ≫ Kiali-operator Version < 1.24.7

Netlify ≫ Kiali-operator Version >= 1.30.0 < 1.33.0

Redhat ≫ Openshift Service Mesh Version1.0

Redhat ≫ Openshift Service Mesh Version2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.34%	0.536

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

https://bugzilla.redhat.com/show_bug.cgi?id=1947361

Patch

Third Party Advisory

Issue Tracking

https://kiali.io/news/security-bulletins/kiali-security-003/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-3495

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3495

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3495

EUVD