CVE-2021-38182

Published: Dec 14, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Due to insufficient input validation of Kyma, authenticated users can pass a Header of their choice and escalate privileges which can completely compromise the cluster.

Affected (1)

Products: Kyma Project: Kyma

Kyma Project

1 product

Kyma

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kyma Project Kyma	Before 1.24.7

Related CWEs

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://github.com/kyma-project/kyma/security/advisories/GHSA-2vjp-5q24-hqjv

Source: cna@sap.com

Third Party Advisory

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

Source: cna@sap.com

Not Applicable

https://github.com/kyma-project/kyma/security/advisories/GHSA-2vjp-5q24-hqjv

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.