Homepage
About Snyk

Improper Authorization Affecting github.com/weaveworks/weave-gitops/cmd/gitops/beta/run package, versions <0.12.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMWEAVEWORKSWEAVEGITOPSCMDGITOPSBETARUN-3227612
  • published 10 Jan 2023
  • disclosed 10 Jan 2023
  • credit Paulo Gomes
Report a new vulnerability Found a mistake?

Introduced: 10 Jan 2023

CVE-2022-23508 Open this link in a new tab
CWE-285 Open this link in a new tab

How to fix?

Upgrade github.com/weaveworks/weave-gitops/cmd/gitops/beta/run to version 0.12.0 or higher.

Overview

github.com/weaveworks/weave-gitops/cmd/gitops/beta/run is a platform for cloud native applications, without requiring Kubernetes expertise.

Affected versions of this package are vulnerable to Improper Authorization in the gitops beta run command, which allows users to see and alter the bucket content of nodes in the same cluster. The can choose a workload and inject it into the S3 bucket, which results in the successful deployment in the target cluster.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.8 high
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

7.8 high