CVE-2021-3495 - Improper Preservation of Permissions

Severity

88%

Complexity

27%

Confidentiality

98%

An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P).

Overview

First reported 3 years ago

2021-06-01 14:15:00

Last updated 3 years ago

2021-06-14 15:13:00

Affected Software

Red Hat OpenShift Service Mesh 1.0

1.0

References

https://kiali.io/news/security-bulletins/kiali-security-003/

https://bugzilla.redhat.com/show_bug.cgi?id=1947361

https://kiali.io/news/security-bulletins/kiali-security-003/

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1947361

Issue Tracking, Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.