Improper Access Control Affecting github.com/kiali/kiali package, versions <1.33.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Access Control vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-GITHUBCOMKIALIKIALI-7786370
- published22 Aug 2024
- disclosed21 Aug 2024
- creditUnknown
Introduced: 21 Aug 2024
CVE-2021-3495 (opens in a new tab)How to fix?
Upgrade github.com/kiali/kiali to version 1.33.0 or higher.
Overview
github.com/kiali/kiali is a Kiali is a management console for Istio service mesh. Kiali can be quickly installed as an Istio add-on, or trusted as a part of your production environment.
Affected versions of this package are vulnerable to Improper Access Control. An attacker with a basic level of access to the cluster can gain unauthorized access and perform unauthorized actions by exploiting insufficient security restrictions, allowing the installation of a specified image into any namespace.
NOTE: Kiali users are exposed to this vulnerability if all the following conditions are met:
Kiali operator is used for installation.
Kiali CR was edited to install an image into an unapproved namespace.
Workaround
If updating is not possible - ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).