Headline
CVE-2021-44458: security/0001.md at main · Mirantis/security
Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim’s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.
Permalink
Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website****Release Date
2021/11/17
Overview
Linux users running Lens could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim’s browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.
To exploit
- Lens needs to be running on Linux
- The attacker needs to know the cluster ID of at least one of the victim’s clusters
- The victim needs to visit a malicious site
https://github.com/lensapp/lens/security/advisories/GHSA-x8mv-qr7w-4fm9
Affected Products
Lens 5.2.6 or earlier running on Linux
Unaffected Products
Lens running on Mac or Windows
Vulnerability Information****CVE Identifier
CVE-2021-44458
CVSSv3.1
8.3 High CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWEs
CWE-287
Mitigations
None
Work arounds
None
Acknowledgements
Found by Mirantis PSIRT
Disclosure Timeline
2021/11/17: Public disclosure
2021/11/10: 5.2.7 with fixes published
2021/11/8: PSIRT reported vulnerability to the Lens team