CVE-2021-3948

mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC)

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An incorrect default permissions vulnerability was found in the mig-controller. Due to an incorrect cluster namespaces handling an attacker may be able to migrate a malicious workload to the target cluster, impacting confidentiality, integrity, and availability of the services located on that cluster.

Se ha encontrado una vulnerabilidad de permisos por defecto incorrectos en el controlador mig. Debido a un manejo incorrecto de espacios de nombres del cluster, un atacante puede ser capaz de migrar una carga de trabajo maliciosa al cluster de destino, impactando la confidencialidad, integridad y disponibilidad de los servicios ubicados en ese cluster

The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include code execution and denial of service vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-11 CVE Reserved
2021-11-30 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-276: Incorrect Default Permissions

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2022017	2022-01-20

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-3948	2022-01-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Migration Toolkit Search vendor "Redhat" for product "Migration Toolkit"	1.0 Search vendor "Redhat" for product "Migration Toolkit" and version "1.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Migration Toolkit Search vendor "Redhat" for product "Migration Toolkit"	1.0 Search vendor "Redhat" for product "Migration Toolkit" and version "1.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Konveyor Search vendor "Konveyor"		Mig-controller Search vendor "Konveyor" for product "Mig-controller"				< 1.5.2 Search vendor "Konveyor" for product "Mig-controller" and version " < 1.5.2"		-		Affected
Konveyor Search vendor "Konveyor"		Mig-controller Search vendor "Konveyor" for product "Mig-controller"				>= 1.6.0 < 1.6.3 Search vendor "Konveyor" for product "Mig-controller" and version " >= 1.6.0 < 1.6.3"		-		Affected
Redhat Search vendor "Redhat"		Migration Toolkit Search vendor "Redhat" for product "Migration Toolkit"				1.5 Search vendor "Redhat" for product "Migration Toolkit" and version "1.5"		containers		Affected
Redhat Search vendor "Redhat"		Migration Toolkit Search vendor "Redhat" for product "Migration Toolkit"				1.6 Search vendor "Redhat" for product "Migration Toolkit" and version "1.6"		containers		Affected