4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.6%
Garden is an automation platform for Kubernetes development and testing. In
versions prior to 0.12.39 multiple endpoints did not require
authentication. In some operating modes this allows for an attacker to gain
access to the application erroneously. The configuration is leaked through
the /api endpoint on the local server that is responsible for serving the
Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which
makes it accessible to anyone on the same network (or anyone on the
internet if they are on a public, static IP). This may lead to the ability
to compromise credentials, secrets or environment variables. Users are
advised to upgrade to version 0.12.39 as soon as possible. Users unable to
upgrade should use a firewall blocking access to port 9777 from all
untrusted network machines.
Author | Note |
---|---|
leosilva | kubernates is in fact a kubernetes installer that calls snap, not the package it self. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | kubernetes | < any | UNKNOWN |
ubuntu | 22.04 | noarch | kubernetes | < any | UNKNOWN |
ubuntu | 23.10 | noarch | kubernetes | < any | UNKNOWN |
ubuntu | 24.04 | noarch | kubernetes | < any | UNKNOWN |
github.com/garden-io/garden/commit/56051a5b50409227bc420910da88ed156a6e432b
github.com/garden-io/garden/security/advisories/GHSA-f5f3-qrqw-2vqf
launchpad.net/bugs/cve/CVE-2022-24829
nvd.nist.gov/vuln/detail/CVE-2022-24829
security-tracker.debian.org/tracker/CVE-2022-24829
www.cve.org/CVERecord?id=CVE-2022-24829
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.6%