SCA: security update for github.com/weaveworks/weave-gitops (GHSA-xggc-qprg-x6mw)

high Tenable Cloud Security Plugin ID 420488

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Weave GitOps is a simple open source developer platform for people who want cloud native applications,
without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an
authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered
Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on
the management cluster. An unauthorized remote attacker can also view these sensitive configurations from
external log storage if enabled by the management cluster. This vulnerability is due to the client factory
dumping cluster configurations and their service account tokens when the cluster manager tries to connect
to an API server of a registered cluster, and a connection error occurs. An attacker could exploit this
vulnerability by either accessing logs of a pod of Weave GitOps, or from external log storage and
obtaining all cluster configurations of registered clusters. A successful exploit could allow the attacker
to use those cluster configurations to manage the registered Kubernetes clusters. This vulnerability has
been fixed by commit 567356f471353fb5c676c77f5abc2a04631d50ca. Users should upgrade to Weave GitOps core
version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability. (CVE-2022-31098)

See Also

https://github.com/advisories/GHSA-xggc-qprg-x6mw

Plugin Details

Severity: High

ID: 420488

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-31098

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/23/2022

Vulnerability Publication Date: 6/23/2022

Reference Information

CVE: CVE-2022-31098