First published: Thu Apr 08 2021(Updated: )
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Netlify Kiali-operator | <1.24.7 | |
Netlify Kiali-operator | >=1.30.0<1.33.0 | |
Redhat Openshift Service Mesh | =1.0 | |
Redhat Openshift Service Mesh | =2.0 | |
redhat/kiali/kiali-operator | <1.33.0 | 1.33.0 |
redhat/kiali/kiali-operator | <1.24.7 | 1.24.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3495 is an incorrect access control flaw in the kiali-operator.
CVE-2021-3495 has a severity rating of 8.8 (High).
CVE-2021-3495 affects Netlify Kiali-operator versions before 1.33.0 and before 1.24.7, as well as Redhat Openshift Service Mesh versions 1.0 and 2.0.
An attacker with basic level access to the cluster can deploy a kiali operand and use the vulnerability to deploy a given image anywhere in the cluster.
Yes, you can find more information about CVE-2021-3495 in the following references: [link 1](https://bugzilla.redhat.com/show_bug.cgi?id=1947361) and [link 2](https://kiali.io/news/security-bulletins/kiali-security-003/).