CVE-2021-44458: 
NixOS vulnerability analysis and mitigation

Linux users running Lens 5.2.6 and earlier were vulnerable to a remote code execution vulnerability (CVE-2021-44458) discovered in November 2021. The vulnerability allowed attackers to execute arbitrary commands as the Lens user by exploiting websocket connections when victims visited malicious websites (Mirantis Advisory).

The vulnerability is characterized by a lack of websocket authentication in Lens, allowing malicious websites to establish websocket connections to the victim's Lens application and operate the local terminal feature. The vulnerability has a CVSS v3.1 base score of 9.6 (Critical) according to NVD, while Mirantis assessed it at 8.3 (High). The vulnerability is classified under CWE-346 (Origin Validation Error) and CWE-287 (Improper Authentication) (NVD).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary commands with the privileges of the Lens user on Linux systems. The attack requires the attacker to know the cluster ID of at least one of the victim's clusters (Mirantis Advisory).

The vulnerability was patched in Lens version 5.2.7, released on November 10, 2021. No workarounds were available for affected versions, making upgrading to version 5.2.7 or later the only mitigation option (Mirantis Advisory).