GHSA-PV22-FQCJ-7XWH

Vulnerability from github – Published: 2025-05-06 00:42 – Updated: 2025-05-06 19:13
VLAI
Summary
Inspektor Gadget Security Policies Can be Bypassed
Details

Security policies like allowed-gadgets, disallow-pulling, verify-image can be bypassed by a malicious client.

Impact

Users running ig in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the ig daemon case or access to the cluster in the Kubernetes case.

Patches

The issue has been fixed in v0.40.0

Workarounds

There is not known workaround to fix it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/inspektor-gadget/inspektor-gadget"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0"
            },
            {
              "fixed": "0.40.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-06T00:42:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Security policies like [`allowed-gadgets`](https://inspektor-gadget.io/docs/latest/reference/restricting-gadgets),  [`disallow-pulling`](https://inspektor-gadget.io/docs/latest/reference/disallow-pulling), [`verify-image`](https://inspektor-gadget.io/docs/latest/reference/verify-assets#verify-image-based-gadgets) can be bypassed by a malicious client.\n\n### Impact\n\nUsers running `ig` in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the `ig daemon` case or access to the cluster in the Kubernetes case. \n\n### Patches\n\nThe issue has been fixed in v0.40.0\n\n### Workarounds\n\nThere is not known workaround to fix it.",
  "id": "GHSA-pv22-fqcj-7xwh",
  "modified": "2025-05-06T19:13:21Z",
  "published": "2025-05-06T00:42:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3665"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inspektor Gadget Security Policies Can be Bypassed"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…