Improper Access Control Affecting github.com/kiali/kiali package, versions <1.33.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMKIALIKIALI-7786370
- published 22 Aug 2024
- disclosed 21 Aug 2024
- credit Unknown
Introduced: 21 Aug 2024
CVE-2021-3495 Open this link in a new tabHow to fix?
Upgrade github.com/kiali/kiali to version 1.33.0 or higher.
Overview
github.com/kiali/kiali is a Kiali is a management console for Istio service mesh. Kiali can be quickly installed as an Istio add-on, or trusted as a part of your production environment.
Affected versions of this package are vulnerable to Improper Access Control. An attacker with a basic level of access to the cluster can gain unauthorized access and perform unauthorized actions by exploiting insufficient security restrictions, allowing the installation of a specified image into any namespace.
NOTE: Kiali users are exposed to this vulnerability if all the following conditions are met:
Kiali operator is used for installation.
Kiali CR was edited to install an image into an unapproved namespace.
Workaround
If updating is not possible - ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).