Information Exposure Affecting github.com/maistra/istio-operator/pkg/controller package, versions <1.1.4


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMAISTRAISTIOOPERATORPKGCONTROLLER-770790
  • published 17 Sep 2020
  • disclosed 17 Sep 2020
  • credit Unknown

How to fix?

Upgrade github.com/maistra/istio-operator/pkg/controller to version 1.1.4 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure. An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

8.8 high
Expand this section

Red Hat

8.8 high