Search criteria
4 vulnerabilities found for Longhorn by SUSE
CVE-2021-36780 (GCVE-0-2021-36780)
Vulnerability from nvd – Published: 2021-12-17 08:55 – Updated: 2024-09-16 23:15
VLAI
Title
Unauthorized data access from replicas through vulnerable instance manager pods
Summary
A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v.
Severity
8.1 (High)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Date Public
2021-12-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191819"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
},
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.2.3v",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dagan Henderson and Will Kline"
}
],
"datePublic": "2021-12-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T00:00:00.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191819"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1191819",
"defect": [
"1191819"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized data access from replicas through vulnerable instance manager pods",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36780",
"datePublished": "2021-12-17T08:55:14.523Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:15:43.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36779 (GCVE-0-2021-36779)
Vulnerability from nvd – Published: 2021-12-17 08:55 – Updated: 2024-09-16 23:20
VLAI
Title
Host operations allowed in privileged Longhorn managed pods
Summary
A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.
Severity
9.6 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Date Public
2021-12-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
},
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.2.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dagan Henderson and Will Kline"
}
],
"datePublic": "2021-12-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T00:00:00.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"
},
{
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1191818",
"defect": [
"1191818"
],
"discovery": "EXTERNAL"
},
"title": "Host operations allowed in privileged Longhorn managed pods",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36779",
"datePublished": "2021-12-17T08:55:13.033Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:20:38.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36780 (GCVE-0-2021-36780)
Vulnerability from cvelistv5 – Published: 2021-12-17 08:55 – Updated: 2024-09-16 23:15
VLAI
Title
Unauthorized data access from replicas through vulnerable instance manager pods
Summary
A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v.
Severity
8.1 (High)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Date Public
2021-12-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191819"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
},
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.2.3v",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dagan Henderson and Will Kline"
}
],
"datePublic": "2021-12-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T00:00:00.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191819"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1191819",
"defect": [
"1191819"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized data access from replicas through vulnerable instance manager pods",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36780",
"datePublished": "2021-12-17T08:55:14.523Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:15:43.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36779 (GCVE-0-2021-36779)
Vulnerability from cvelistv5 – Published: 2021-12-17 08:55 – Updated: 2024-09-16 23:20
VLAI
Title
Host operations allowed in privileged Longhorn managed pods
Summary
A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.
Severity
9.6 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Date Public
2021-12-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
},
{
"product": "Longhorn",
"vendor": "SUSE",
"versions": [
{
"lessThan": "1.2.3",
"status": "affected",
"version": "longhorn",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dagan Henderson and Will Kline"
}
],
"datePublic": "2021-12-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T00:00:00.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191818"
},
{
"url": "https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1191818",
"defect": [
"1191818"
],
"discovery": "EXTERNAL"
},
"title": "Host operations allowed in privileged Longhorn managed pods",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36779",
"datePublished": "2021-12-17T08:55:13.033Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:20:38.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}