CVE-2021-3495
First published: Tue Jun 01 2021(Updated: )
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netlify Kiali-operator | <1.24.7 | |
| Netlify Kiali-operator | >=1.30.0<1.33.0 | |
| Redhat Openshift Service Mesh | =1.0 | |
| Redhat Openshift Service Mesh | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-3495?
CVE-2021-3495 is an incorrect access control flaw in the kiali-operator.
What is the severity of CVE-2021-3495?
CVE-2021-3495 has a severity rating of 8.8 (High).
Which software versions are affected by CVE-2021-3495?
CVE-2021-3495 affects Netlify Kiali-operator versions before 1.33.0 and before 1.24.7, as well as Redhat Openshift Service Mesh versions 1.0 and 2.0.
How can an attacker exploit CVE-2021-3495?
An attacker with basic level access to the cluster can deploy a kiali operand and use the vulnerability to deploy a given image anywhere in the cluster.
Are there any references for CVE-2021-3495?
Yes, you can find more information about CVE-2021-3495 in the following references: [link 1](https://bugzilla.redhat.com/show_bug.cgi?id=1947361) and [link 2](https://kiali.io/news/security-bulletins/kiali-security-003/).
- collector/nvd-index
- vendor/netlify
- product/kiali-operator
- canonical/netlify kiali-operator
- vendor/redhat
- product/openshift service mesh
- canonical/redhat openshift service mesh