Improper Restriction of Excessive Authentication Attempts Affecting github.com/edgelesssys/constellation/v2/internal/constellation/helm package, versions <2.16.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMEDGELESSSYSCONSTELLATIONV2INTERNALCONSTELLATIONHELM-6615866
- published 16 Apr 2024
- disclosed 15 Apr 2024
- credit Feroz Salam
How to fix?
Upgrade github.com/edgelesssys/constellation/v2/internal/constellation/helm to version 2.16.3 or higher.
Overview
Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts due to the way pods are exposed to peers in a Virtual Private Cloud (VPC). An attacker within the cloud VPC can access pods directly using their internal pod IP address, even if these pods are not explicitly exposed (e.g., via LoadBalancer). This vulnerability arises when a pod does not authenticate clients and does not exclude world traffic through network policies, potentially leading to sensitive data leakage.
Workaround
This vulnerability can be mitigated by applying a network policy that excludes all world traffic. However, this will also block all desired external traffic. For known vulnerable pods, a specific policy can be crafted to firewall those selectively.