CVE-2021-3495
moderate-risk
Published 2021-06-01
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Do I need to act?
-
0.34% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (3)
References (4)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1947361
Vendor Advisory
https://kiali.io/news/security-bulletins/kiali-security-003/
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1947361
Vendor Advisory
https://kiali.io/news/security-bulletins/kiali-security-003/
40
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
1/34 · Minimal
Exposure
9/34 · Low