CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 2CVE-2023-34236 – Information Disclosure Vulnerability in Weave GitOps Terraform Controller
https://notcve.org/view.php?id=CVE-2023-34236
Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive information. This vulnerability stems from Weave GitOps Terraform Runners (`tf-runner`), where sensitive data is inadvertently printed - potentially revealing sensitive user data in their pod logs. In particular, functions `tfexec.ShowPlan`, `tfexec.ShowPlanRaw`, and `tfexec.Output` are implicated when the `tfexec` object set its `Stdout` and `Stderr` to be `os.Stdout` and `os.Stderr`. An unauthorized remote attacker could exploit this vulnerability by accessing these prints of sensitive information, which may contain configurations or tokens that could be used to gain unauthorized control or access to resources managed by the Terraform controller. • https://github.com/weaveworks/tf-controller/commit/28282bc644054e157c3b9a3d38f1f9551ce09074 https://github.com/weaveworks/tf-controller/commit/6323b355bd7f5d2ce85d0244fe0883af3881df4e https://github.com/weaveworks/tf-controller/commit/9708fda28ccd0466cb0a8fd409854ab4d92f7dca https://github.com/weaveworks/tf-controller/commit/98a0688036e9dbcf43fa84960d9a1ef3e09a69cf https://github.com/weaveworks/tf-controller/issues/637 https://github.com/weaveworks/tf-controller/issues/649 https://github.com/weaveworks/tf-controller/security/advisories/GHSA-6hvv-j432-23cv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23509 – Weave Gitops Run vulnerable to insecure communication
https://notcve.org/view.php?id=CVE-2022-23509
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. • https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967 https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23508 – GitOps Run allows for Kubernetes workload injection
https://notcve.org/view.php?id=CVE-2022-23508
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorized access, therefore allowing local users (and processes) on the same machine to see and alter the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster, without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster. • https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225 https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-wr3c-g326-486c • CWE-284: Improper Access Control CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 1CVE-2022-38790
https://notcve.org/view.php?id=CVE-2022-38790
Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource. Weave GitOps Enterprise versiones anteriores a 0.9.0-rc.5, presenta un fallo de tipo cross-site scripting (XSS) que permite a un usuario malicioso inyectar un enlace javascript: en la Interfaz de Usuario. • https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profiles-and-clusters https://docs.gitops.weave.works/docs/intro https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.html https://www.weave.works/product/gitops-enterprise • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35976 – Improper KubeConfig handling allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-35976
The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user running VSCode. Users relying on kubeconfigs that are generated or altered by other processes or users are affected by this issue. Please note that the vulnerability is specific to this extension, and the same kubeconfig would not result in arbitrary code execution when used with kubectl. Using only trust-worthy kubeconfigs is a safe mitigation. • https://github.com/weaveworks/vscode-gitops-tools/security/advisories/GHSA-287h-vjhw-jqf7 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •