CVE-2021-43979 - Vulnerability Details - OpenCVE

Description

Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent

Published: 2021-11-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:openpolicyagent:gatekeeper:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00227.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/hkerma/opa-gatekeeper-concurrency-issue
https://github.com/open-policy-agent/gatekeeper/releases

History

No history.

Subscriptions

Openpolicyagent Gatekeeper

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-17T18:26:13.000Z

Updated: 2024-08-04T04:10:16.943Z

Reserved: 2021-11-17T00:00:00.000Z

Link: CVE-2021-43979

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-17T19:15:09.220

Modified: 2024-11-21T06:30:08.037

Link: CVE-2021-43979

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-670

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-17T18:26:13.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43979", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue", "refsource": "MISC", "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"name": "https://github.com/open-policy-agent/gatekeeper/releases", "refsource": "MISC", "url": "https://github.com/open-policy-agent/gatekeeper/releases"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.943Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-43979", "datePublished": "2021-11-17T18:26:13.000Z", "dateReserved": "2021-11-17T00:00:00.000Z", "dateUpdated": "2024-08-04T04:10:16.943Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openpolicyagent:gatekeeper:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C999E1D-6B0A-4F3B-9000-63AE8570B6FE", "versionEndIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent"}, {"lang": "es", "value": "** EN DISPUTA ** Styra Open Policy Agent (OPA) Gatekeeper versiones hasta 3.7.0, maneja inapropiadamente la concurrencia, a veces resultando en un control de acceso incorrecto. El mecanismo de replicaci\u00f3n de datos permite que las pol\u00edticas accedan al estado del cl\u00faster de Kubernetes. Durante la replicaci\u00f3n de datos, OPA/ Gatekeeper no espera a que finalice la replicaci\u00f3n antes de procesar una petici\u00f3n, lo que podr\u00eda causar inconsistencias entre los recursos replicados en OPA / Gatekeeper y los recursos realmente presentes en el cl\u00faster. La inconsistencia puede ser reflejada m\u00e1s tarde en una omisi\u00f3n de la pol\u00edtica. NOTA: el proveedor no est\u00e1 de acuerdo con que se trate de una vulnerabilidad, porque los estados de Kubernetes solo son finalmente consistentes"}], "id": "CVE-2021-43979", "lastModified": "2024-11-21T06:30:08.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-17T19:15:09.220", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/gatekeeper/releases"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "nvd@nist.gov", "type": "Primary"}]}