CVE-2016-15036: 
vulnerability analysis and mitigation

A race condition vulnerability was discovered in Deis Workflow Manager versions up to 2.3.2. The vulnerability affects the cluster_id functionality when called concurrently. This issue was disclosed on December 23, 2023, and has been assigned CVE-2016-15036. The vulnerability has been classified as problematic with a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The vulnerability exists in the Get() method which functions as an "insert if not exist"-style retriever but lacked proper read-write lock protection. This created a race condition when the method was called concurrently. The issue has been classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The CVSS v3.1 vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating adjacent network attack vector with high attack complexity (NVD).

The race condition vulnerability could potentially lead to data inconsistency or corruption when multiple concurrent calls are made to the cluster_id functionality. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in Deis Workflow Manager version 2.3.3. The fix includes adding read-write lock protection to the Get() method and removing static clusterID getter in sendVersionsImpl. Users should upgrade to version 2.3.3 or later to address this security issue (GitHub Release).