SCA: security update for github.com/weaveworks/weave-gitops (GHSA-89qm-wcmw-3mgg)

medium Tenable Cloud Security Plugin ID 412568

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Weave GitOps is a simple open source developer platform for people who want cloud native applications,
without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing
files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the
local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain
information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket
content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for
this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade
to Weave GitOps version >= v0.12.0 released on 08/12/2022. (CVE-2022-23509)

See Also

https://github.com/advisories/GHSA-89qm-wcmw-3mgg

Plugin Details

Severity: Medium

ID: 412568

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2022-23509

CVSS v3

Risk Factor: Medium

Base Score: 6

Temporal Score: 5.2

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/9/2023

Vulnerability Publication Date: 1/9/2023

Reference Information

CVE: CVE-2022-23509