Skip to content

Privilege escalation vulnerability via malicious “Connection” header

High
Disper published GHSA-2vjp-5q24-hqjv Dec 14, 2021

Package

gomod components/apiserver-proxy/internal/proxy (Go)

Affected versions

<1.24.7

Patched versions

1.24.7

Description

Problem Type

Header Manipulation

Impact

Due to insufficient input validation of Kyma, authenticated user can pass a Header of their choice and escalate privileges which can completely compromise the cluster.

Patches

The problem was patched in 1.24.7.

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2021-38182