-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/siderolabs/talos: CVE-2022-36103, GHSA-7hgc-php5-77qq #995
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
tatianab
changed the title
x/vulndb: potential Go vuln in github.com/siderolabs/talos: CVE-2022-36103
x/vulndb: potential Go vuln in github.com/siderolabs/talos: CVE-2022-36103, GHSA-7hgc-php5-77qq
Sep 19, 2022
tatianab
added
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
and removed
NeedsTriage
labels
Sep 28, 2022
Change https://go.dev/cl/435459 mentions this issue: |
Change https://go.dev/cl/592774 mentions this issue: |
Change https://go.dev/cl/607230 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-0985.yaml - data/reports/GO-2022-0986.yaml - data/reports/GO-2022-0987.yaml - data/reports/GO-2022-0989.yaml - data/reports/GO-2022-0995.yaml - data/reports/GO-2022-1000.yaml - data/reports/GO-2022-1006.yaml - data/reports/GO-2022-1014.yaml - data/reports/GO-2022-1015.yaml - data/reports/GO-2022-1019.yaml - data/reports/GO-2022-1021.yaml - data/reports/GO-2022-1023.yaml - data/reports/GO-2022-1029.yaml - data/reports/GO-2022-1032.yaml - data/reports/GO-2022-1033.yaml - data/reports/GO-2022-1060.yaml - data/reports/GO-2022-1062.yaml - data/reports/GO-2022-1065.yaml - data/reports/GO-2022-1066.yaml - data/reports/GO-2022-1067.yaml Updates #985 Updates #986 Updates #987 Updates #989 Updates #995 Updates #1000 Updates #1006 Updates #1014 Updates #1015 Updates #1019 Updates #1021 Updates #1023 Updates #1029 Updates #1032 Updates #1033 Updates #1060 Updates #1062 Updates #1065 Updates #1066 Updates #1067 Change-Id: I27b6f79e1898a13040a758a71348464c5e7c72a9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607230 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-36103 references github.com/siderolabs/talos, which may be a Go module.
Description:
Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR (certificate signing request) Talos control plane node might issue Talos API certificate which allows full access to Talos API on a control plane node. Accessing Talos API with full level access on a control plane node might reveal sensitive information which allows full level access to the cluster (Kubernetes and Talos PKI, etc.). Talos API join token is stored in the machine configuration on the worker node. When configured correctly, Kubernetes workloads don't have access to the machine configuration, but due to a misconfiguration workload might access the machine configuration and reveal the join token. This problem has been fixed in Talos 1.2.2. Enabling the Pod Security Standards mitigates the vulnerability by denying hostPath mounts and host networking by default in the baseline policy. Clusters that don't run untrusted workloads are not affected. Clusters with correct Pod Security configurations which don't allow hostPath mounts, and secure access to cloud metadata server (or machine configuration is not supplied via cloud metadata server) are not affected.
References:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: