GO-2023-1925 Weave GitOps Terraform Controller Information Disclosure Vulnerability in github.com/weaveworks/tf-controller

Weave GitOps Terraform Controller Information Disclosure Vulnerability in github.com/weaveworks/tf-controller...

Information Disclosure

github.com/weaveworks/tf-controller is vulnerable to Information Disclosure. A flaw in Weave GitOps Terraform Runners tf-runner allows an authenticated remote attacker to acquire user information in pod logs due to accidentally displaying sensitive data by the victim. The functions tfexec.ShowPla...

Workload Injection

github.com/weaveworks/weave-gitops is vulnerable to workload injection. The library uses an S3 bucket for synchronising files, with no security controls to block unauthorised access in its endpoint, which allows local users on the same machine to see and alter the bucket content...

GHSA-89QM-WCMW-3MGG Gitops Run insecure communication

Impact GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information...

GitOps Run allows for Kubernetes workload injection

Impact A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthoris...

CVE-2022-23508 GitOps Run allows for Kubernetes workload injection

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses...

Weave GitOps 安全漏洞

Weaveworks Weave GitOps is a simple open source developer platform from Weaveworks, UK. Weave GitOps suffers from a security vulnerability that stems from endpoints having no security controls to block unauthorized access...

Weave GitOps Log Information Disclosure Vulnerability

Weave GitOps is a simple open source developer platform open source by Weaveworks. Weave GitOps has a log information disclosure vulnerability. The vulnerability stems from insufficient protection of sensitive information and can be exploited by an authenticated remote attack to view sensitive...

Weave GitOps leaked cluster credentials into logs on connection errors

Impact A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster...

GHSA-XGGC-QPRG-X6MW Weave GitOps leaked cluster credentials into logs on connection errors

Impact A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster...

Privilege Escalation

github.com/weaveworks/weave is vulnerable to Privilege Escalation. The vulnerability exists because the hostPID setting is set to true allowing an attacker to take over any host in the Docker containers cluster...

Unspecified Vulnerability in Weaveworks Weave Net

Weaveworks Weave Net is a cloud-native networking toolkit from Weaveworks UK. A security vulnerability in Weaveworks Weave Net versions prior to 2.6.3 can be exploited by an attacker to reconfigure a host to redirect some or all of the host's IPv6 traffic to a container under the attacker's contr...