{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-36779", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "dateUpdated": "2024-09-16T23:20:38.350Z", "dateReserved": "2021-07-19T00:00:00.000Z", "datePublished": "2021-12-17T08:55:13.033Z"}, "containers": {"cna": {"title": "Host operations allowed in privileged Longhorn managed pods", "datePublic": "2021-12-17T00:00:00.000Z", "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2023-01-19T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3."}], "affected": [{"vendor": "SUSE", "product": "Longhorn", "versions": [{"version": "longhorn", "status": "affected", "lessThan": "1.1.3", "versionType": "custom"}]}, {"vendor": "SUSE", "product": "Longhorn", "versions": [{"version": "longhorn", "status": "affected", "lessThan": "1.2.3", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"}, {"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"}], "credits": [{"lang": "en", "value": "Dagan Henderson and Will Kline"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "cweId": "CWE-306"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1191818", "defect": ["1191818"], "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.764Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818", "tags": ["x_transferred"]}, {"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:longhorn:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACC59D6B-78C0-4A58-B819-2E333591E5D9", "versionEndExcluding": "1.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:longhorn:*:*:*:*:*:*:*:*", "matchCriteriaId": "677170E4-EBEF-4131-9B58-6A0308273181", "versionEndExcluding": "1.2.3", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autenticaci\u00f3n para funciones cr\u00edticas en SUSE Longhorn permite que cualquier carga de trabajo en el cl\u00faster ejecute cualquier binario presente en la imagen del host sin autenticaci\u00f3n. Este problema afecta a: Las versiones de SUSE Longhorn anteriores a la 1.1.3; las versiones de Longhorn anteriores a la 1.2.3"}], "id": "CVE-2021-36779", "lastModified": "2024-11-21T06:14:04.923", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "meissner@suse.de", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-17T09:15:06.923", "references": [{"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"}, {"source": "meissner@suse.de", "tags": ["Vendor Advisory"], "url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "meissner@suse.de", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{}