Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website

Release Date

2021/11/17

Overview

Linux users running Lens could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim's browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.

To exploit

  1. Lens needs to be running on Linux
  2. The attacker needs to know the cluster ID of at least one of the victim's clusters
  3. The victim needs to visit a malicious site

https://github.com/lensapp/lens/security/advisories/GHSA-x8mv-qr7w-4fm9

Affected Products

Lens 5.2.6 or earlier running on Linux

Unaffected Products

Lens running on Mac or Windows

Vulnerability Information

CVE Identifier

CVE-2021-44458

CVSSv3.1

8.3 High CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs

CWE-287

Mitigations

None

Work arounds

None

Acknowledgements

Found by Mirantis PSIRT

Disclosure Timeline

2021/11/17: Public disclosure

2021/11/10: 5.2.7 with fixes published

2021/11/8: PSIRT reported vulnerability to the Lens team