CVE-2023-1065 - OpenCVE

This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Snyk	Kubernetes Monitor

Configuration 1 [-]

cpe:2.3:a:snyk:kubernetes_monitor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/snyk/kubernetes-monitor
https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157
https://github.com/snyk/kubernetes-monitor/pull/1275
https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-02-28T18:32:47.899Z

Updated: 2024-08-02T05:32:46.387Z

Reserved: 2023-02-27T11:54:18.520Z

Link: CVE-2023-1065

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-02-28T19:15:16.727

Modified: 2023-03-10T04:58:38.103

Link: CVE-2023-1065

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1065", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-27T11:54:18.520Z", "datePublished": "2023-02-28T18:32:47.899Z", "dateUpdated": "2024-08-02T05:32:46.387Z"}, "containers": {"cna": {"affected": [{"product": "Snyk Kubernetes Monitor", "vendor": "Snyk", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-01T11:27:50.500Z"}, "descriptions": [{"lang": "en", "value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."}], "references": [{"url": "https://github.com/snyk/kubernetes-monitor"}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "credits": [{"lang": "en", "value": "Tesco CyberSecurity Team"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:32:46.387Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/snyk/kubernetes-monitor", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157", "tags": ["x_transferred"]}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snyk:kubernetes_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1E859F1-7DBE-4E50-BE04-05D68CD9337B", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."}], "id": "CVE-2023-1065", "lastModified": "2023-03-10T04:58:38.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-02-28T19:15:16.727", "references": [{"source": "report@snyk.io", "tags": ["Product"], "url": "https://github.com/snyk/kubernetes-monitor"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}, {"source": "report@snyk.io", "tags": ["Vendor Advisory"], "url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "report@snyk.io", "type": "Secondary"}]}