Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44458: security/0001.md at main · Mirantis/security

Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim’s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.

CVE
#vulnerability#web#mac#windows#linux#git

Permalink

Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website****Release Date

2021/11/17

Overview

Linux users running Lens could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim’s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.

To exploit

  1. Lens needs to be running on Linux
  2. The attacker needs to know the cluster ID of at least one of the victim’s clusters
  3. The victim needs to visit a malicious site

https://github.com/lensapp/lens/security/advisories/GHSA-x8mv-qr7w-4fm9

Affected Products

Lens 5.2.6 or earlier running on Linux

Unaffected Products

Lens running on Mac or Windows

Vulnerability Information****CVE Identifier

CVE-2021-44458

CVSSv3.1

8.3 High CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs

CWE-287

Mitigations

None

Work arounds

None

Acknowledgements

Found by Mirantis PSIRT

Disclosure Timeline

2021/11/17: Public disclosure

2021/11/10: 5.2.7 with fixes published

2021/11/8: PSIRT reported vulnerability to the Lens team

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907