Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing authentication in Garden
Vulnerability Description
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP). This may lead to the ability to compromise credentials, secrets or environment variables. Users are advised to upgrade to version 0.12.39 as soon as possible. Users unable to upgrade should use a firewall blocking access to port 9777 from all untrusted network machines.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Gardener 访问控制错误漏洞
Vulnerability Description
Gardener是一款开源的Kubernetes集群管理工具。该产品支持管理、监控和更新Kubernetes集群。 Gardener存在访问控制错误漏洞,该漏洞允许攻击者错误地访问应用程序。配置通过负责为 Garden 仪表板提供服务的本地服务器上的 /api 端点泄露。
CVSS Information
N/A
Vulnerability Type
N/A