Skip to content
This repository has been archived by the owner on Sep 9, 2024. It is now read-only.

github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9: 1 vulnerabilities (highest severity is: 8.8) #17

Open
mend-bolt-for-github bot opened this issue Aug 21, 2024 · 1 comment
Open

github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9: 1 vulnerabilities (highest severity is: 8.8) #17

mend-bolt-for-github bot opened this issue Aug 21, 2024 · 1 comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link

Vulnerable Library - github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9

Library home page: https://proxy.golang.org/github.com/kanisterio/kanister/@v/v0.0.0-20230926202220-eb892498a2f9.zip

Path to dependency file: /Kanister Visualiser/go.mod

Path to vulnerable library: /Kanister Visualiser/go.mod

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/kanisterio/kanister-v0.0.0 version) Remediation Possible**
CVE-2024-43403 High 8.8 github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9 Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-43403

Vulnerable Library - github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9

Library home page: https://proxy.golang.org/github.com/kanisterio/kanister/@v/v0.0.0-20230926202220-eb892498a2f9.zip

Path to dependency file: /Kanister Visualiser/go.mod

Path to vulnerable library: /Kanister Visualiser/go.mod

Dependency Hierarchy:

  • github.com/kanisterio/kanister-v0.0.0-20230926202220-eb892498a2f9 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access the worker node which has this component to make a cluster-level privilege escalation.

Publish Date: 2024-08-20

URL: CVE-2024-43403

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 21, 2024
@MichaelCade
Copy link
Contributor

Please remove this as this has been enhanced in my own repository.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MichaelCade