CVE-2021-3495

{"id": "CVE-2021-3495", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-06-01T14:15:10.303", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947361", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://kiali.io/news/security-bulletins/kiali-security-003/", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-281"}]}], "descriptions": [{"lang": "en", "value": "An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo de control de acceso incorrecto en kiali-operator en versiones anteriores a 1.33.0 y versiones anteriores a 1.24.7. este fallo permite a un atacante con un nivel b\u00e1sico de acceso al cl\u00faster (para implementar un operando kiali) usar esta vulnerabilidad e implementar una imagen determinada en cualquier lugar del cl\u00faster, potencialmente consiguiendo acceso a tokens de cuentas de servicio privilegiadas. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\u00ed como la disponibilidad del sistema"}], "lastModified": "2021-06-14T15:13:37.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90113227-7E7E-4EC8-8B91-B12D9A3663CF", "versionEndExcluding": "1.24.7"}, {"criteria": "cpe:2.3:a:netlify:kiali-operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6932F64F-0CC7-40CA-BEBF-6658DABC6E80", "versionEndExcluding": "1.33.0", "versionStartIncluding": "1.30.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01"}, {"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A76A2BCE-4AAE-46D7-93D6-2EDE0FC83145"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}