SCA: security update for github.com/weaveworks/weave-gitops (GHSA-wr3c-g326-486c)

high Tenable Cloud Security Plugin ID 420086

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Weave GitOps is a simple open source developer platform for people who want cloud native applications,
without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to
alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing
files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block
unauthorized access, therefore allowing local users (and processes) on the same machine to see and alter
the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing
and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster,
without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster.
There are no known workarounds for this issue, please upgrade. This vulnerability has been fixed by
commits 75268c4 and 966823b. Users should upgrade to Weave GitOps version >= v0.12.0 released on
08/12/2022. ### Workarounds There is no workaround for this vulnerability. ### References Disclosed by
Paulo Gomes, Senior Software Engineer, Weaveworks. ### For more information If you have any questions or
comments about this advisory: - Open an issue in [Weave GitOps
repository](https://github.com/weaveworks/weave-gitops) - Email us at
[[email protected]](mailto:[email protected]) (CVE-2022-23508)

See Also

https://github.com/advisories/GHSA-wr3c-g326-486c

Plugin Details

Severity: High

ID: 420086

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-23508

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/9/2023

Vulnerability Publication Date: 1/9/2023

Reference Information

CVE: CVE-2022-23508