CVE-2022-23508: 
vulnerability analysis and mitigation

Weave GitOps is a simple open source developer platform for cloud native applications that doesn't require Kubernetes expertise. A vulnerability (CVE-2022-23508) was discovered in GitOps run that could allow a local user or process to alter a Kubernetes cluster's resources. The vulnerability was fixed in version 0.12.0, released on August 12, 2022 (GitHub Advisory).

The vulnerability exists in GitOps run's local S3 bucket functionality, which is used for synchronizing files that are later applied against a Kubernetes cluster. The S3 bucket endpoint had no security controls to block unauthorized access, allowing local users and processes on the same machine to see and alter the bucket content. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory, NVD).

An attacker could exploit this vulnerability to inject workloads of their choosing into the S3 bucket, resulting in successful deployment to the target Kubernetes cluster without requiring credentials for either the S3 bucket or the Kubernetes cluster. This could lead to unauthorized access and modifications to cluster resources (GitHub Advisory).

The vulnerability has been fixed in Weave GitOps version 0.12.0 and later through commits 75268c4 and 966823b. There are no known workarounds for this vulnerability, and users are advised to upgrade to version 0.12.0 or later (GitHub Advisory).