Lucene search

SuseCVELIST:CVE-2021-36780

HistoryDec 17, 2021 - 8:55 a.m.

CVE-2021-36780 Unauthorized data access from replicas through vulnerable instance manager pods

2021-12-1708:55:14

CWE-306

suse

www.cve.org

cve-2021-36780

unauthorized data access

suse longhorn

missing authentication

instance manager pods

critical function

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

32.8%

JSON

A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v.

CNA Affected

[
  {
    "vendor": "SUSE",
    "product": "Longhorn",
    "versions": [
      {
        "version": "longhorn",
        "status": "affected",
        "lessThan": "1.1.3",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "SUSE",
    "product": "Longhorn",
    "versions": [
      {
        "version": "longhorn",
        "status": "affected",
        "lessThan": "1.2.3v",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=1191819

github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

32.8%

JSON

Related for CVELIST:CVE-2021-36780