CVE-2021-43979 - OpenCVE

Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openpolicyagent	Gatekeeper

Configuration 1 [-]

cpe:2.3:a:openpolicyagent:gatekeeper:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/hkerma/opa-gatekeeper-concurrency-issue
https://github.com/open-policy-agent/gatekeeper/releases

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-17T18:26:13

Updated: 2024-08-04T04:10:16.943Z

Reserved: 2021-11-17T00:00:00

Link: CVE-2021-43979

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-17T19:15:09.220

Modified: 2024-08-04T04:16:57.813

Link: CVE-2021-43979

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-17T18:26:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43979", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue", "refsource": "MISC", "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"name": "https://github.com/open-policy-agent/gatekeeper/releases", "refsource": "MISC", "url": "https://github.com/open-policy-agent/gatekeeper/releases"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.943Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-43979", "datePublished": "2021-11-17T18:26:13", "dateReserved": "2021-11-17T00:00:00", "dateUpdated": "2024-08-04T04:10:16.943Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openpolicyagent:gatekeeper:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C999E1D-6B0A-4F3B-9000-63AE8570B6FE", "versionEndIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent"}, {"lang": "es", "value": "** EN DISPUTA ** Styra Open Policy Agent (OPA) Gatekeeper versiones hasta 3.7.0, maneja inapropiadamente la concurrencia, a veces resultando en un control de acceso incorrecto. El mecanismo de replicaci\u00f3n de datos permite que las pol\u00edticas accedan al estado del cl\u00faster de Kubernetes. Durante la replicaci\u00f3n de datos, OPA/ Gatekeeper no espera a que finalice la replicaci\u00f3n antes de procesar una petici\u00f3n, lo que podr\u00eda causar inconsistencias entre los recursos replicados en OPA / Gatekeeper y los recursos realmente presentes en el cl\u00faster. La inconsistencia puede ser reflejada m\u00e1s tarde en una omisi\u00f3n de la pol\u00edtica. NOTA: el proveedor no est\u00e1 de acuerdo con que se trate de una vulnerabilidad, porque los estados de Kubernetes solo son finalmente consistentes"}], "id": "CVE-2021-43979", "lastModified": "2024-08-04T04:16:57.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-17T19:15:09.220", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "nvd@nist.gov", "type": "Primary"}]}