Lucene search

SnykCVELIST:CVE-2023-1065

HistoryFeb 28, 2023 - 6:32 p.m.

CVE-2023-1065

2023-02-2818:32:47

snyk

www.cve.org

snyk

kubernetes monitor

irrelevant data

security issues

integration

authenticated

organization id

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

39.5%

JSON

This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target’s Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case).

CNA Affected

[
  {
    "product": "Snyk Kubernetes Monitor",
    "vendor": "Snyk",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

github.com/snyk/kubernetes-monitor

github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157

github.com/snyk/kubernetes-monitor/pull/1275

snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

39.5%

JSON

Related for CVELIST:CVE-2023-1065