CVE-2022-23509

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022.
Configurations

Configuration 1 (hide)

cpe:2.3:a:weave:weave_gitops:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.0
v2 : unknown
v3 : 7.3
References () https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967 - Patch, Third Party Advisory () https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967 - Patch, Third Party Advisory
References () https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f - Patch, Third Party Advisory () https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f - Patch, Third Party Advisory
References () https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg - Third Party Advisory () https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg - Third Party Advisory
Summary
  • (es) Weave GitOps es una sencilla plataforma de desarrollo de código abierto para personas que desean aplicaciones nativas de la nube, sin necesidad de experiencia en Kubernetes. La ejecución de GitOps tiene un depósito S3 local que utiliza para sincronizar archivos que luego se aplican en un clúster de Kubernetes. La comunicación entre GitOps Run y el depósito S3 local no está cifrada. Esto permite a los usuarios o procesos privilegiados aprovechar el tráfico local para obtener información que permita el acceso al depósito s3. A partir de ese punto, sería posible alterar el contenido del depósito, lo que daría como resultado cambios en los recursos del clúster de Kubernetes. No se conocen workarounds para esta vulnerabilidad. Esta vulnerabilidad se solucionó mediante las confirmaciones ce2bbff y babd915. Los usuarios deben actualizar a la versión Weave GitOps >= v0.12.0 lanzada el 12/08/2022.

27 Jun 2023, 15:13

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-09 14:15

Updated : 2024-11-21 06:48


NVD link : CVE-2022-23509

Mitre link : CVE-2022-23509

CVE.ORG link : CVE-2022-23509


JSON object : View

Products Affected

weave

  • weave_gitops
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-319

Cleartext Transmission of Sensitive Information