Missing authentication in Garden

Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP). This may lead to the ability to compromise credentials, secrets or environment variables. Users are advised to upgrade to version 0.12.39 as soon as possible. Users unable to upgrade should use a firewall blocking access to port 9777 from all untrusted network machines.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

关键功能的认证机制缺失

Gardener 访问控制错误漏洞

Gardener是一款开源的Kubernetes集群管理工具。该产品支持管理、监控和更新Kubernetes集群。 Gardener存在访问控制错误漏洞，该漏洞允许攻击者错误地访问应用程序。配置通过负责为 Garden 仪表板提供服务的本地服务器上的 /api 端点泄露。

N/A

N/A