CVE-2022-23509: 
vulnerability analysis and mitigation

Weave GitOps is a simple open source developer platform for cloud native applications that doesn't require Kubernetes expertise. A vulnerability was discovered in GitOps run where it uses a local S3 bucket for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket was not encrypted, identified as CVE-2022-23509. This vulnerability affects versions <= v0.11.0 and was patched in version v0.12.0 released on 08/12/2022 (GitHub Advisory).

The vulnerability stems from unencrypted communication between GitOps Run and its local S3 bucket. The CVSS v3.1 base score is 6.0 MEDIUM according to NVD assessment, with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. However, GitHub's assessment rates it as HIGH with a score of 7.3 and vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) by NIST and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) by GitHub (NVD).

The vulnerability allows privileged users or processes to intercept local traffic and gain information that permits access to the S3 bucket. Once access is gained, attackers could potentially alter the bucket content, which would result in unauthorized changes to the Kubernetes cluster's resources (GitHub Advisory).

The vulnerability has been fixed in Weave GitOps version v0.12.0 and later through commits ce2bbff and babd915. These commits implemented HTTPS support for the bucket server. There are no known workarounds for this vulnerability, and users are advised to upgrade to version v0.12.0 or later (GitHub Advisory).