{"containers": {"cna": {"affected": [{"product": "kiali/kiali-operator", "vendor": "n/a", "versions": [{"status": "affected", "version": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"}]}], "descriptions": [{"lang": "en", "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-281", "description": "CWE-281", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-01T13:31:32", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"}, {"tags": ["x_refsource_MISC"], "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3495", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kiali/kiali-operator", "version": {"version_data": [{"version_value": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-281"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"}, {"name": "https://kiali.io/news/security-bulletins/kiali-security-003/", "refsource": "MISC", "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.829Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3495", "datePublished": "2021-06-01T13:31:32", "dateReserved": "2021-04-12T00:00:00", "dateUpdated": "2024-08-03T16:53:17.829Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "90113227-7E7E-4EC8-8B91-B12D9A3663CF", "versionEndExcluding": "1.24.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "6932F64F-0CC7-40CA-BEBF-6658DABC6E80", "versionEndExcluding": "1.33.0", "versionStartIncluding": "1.30.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "A76A2BCE-4AAE-46D7-93D6-2EDE0FC83145", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo de control de acceso incorrecto en kiali-operator en versiones anteriores a 1.33.0 y versiones anteriores a 1.24.7. este fallo permite a un atacante con un nivel b\u00e1sico de acceso al cl\u00faster (para implementar un operando kiali) usar esta vulnerabilidad e implementar una imagen determinada en cualquier lugar del cl\u00faster, potencialmente consiguiendo acceso a tokens de cuentas de servicio privilegiadas. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema"}], "id": "CVE-2021-3495", "lastModified": "2021-06-14T15:13:37.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-01T14:15:10.303", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://kiali.io/news/security-bulletins/kiali-security-003/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Vladimir Andryushin (VTB Bank (PJSC)) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:1544", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.24.7-1", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2021-05-11T00:00:00Z"}], "bugzilla": {"description": "kiali/kiali-operator: can deploy specified image to any namespace", "id": "1947361", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-281", "details": ["An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "An incorrect access control flaw was found in the kiali-operator. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-3495", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Out of support scope", "package_name": "openshift-service-mesh/kiali-rhel7-operator", "product_name": "OpenShift Service Mesh 1"}], "public_date": "2021-05-11T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3495\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3495\nhttps://kiali.io/news/security-bulletins/kiali-security-003/"], "statement": "In regards to the ServiceMesh `openshift-service-mesh/kiali-rhel7` container, it has been superseded by the `openshift-service-mesh/kiali-rhel8` container and is no longer supported.", "threat_severity": "Important", "upstream_fix": "kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7"}