Publish GHSA-pv22-fqcj-7xwh

advisory-database[bot] · advisory-database[bot] · commit 4400aa79fe7e · 2025-05-06T00:43:40.000Z
diff --git a/advisories/github-reviewed/2025/05/GHSA-pv22-fqcj-7xwh/GHSA-pv22-fqcj-7xwh.json b/advisories/github-reviewed/2025/05/GHSA-pv22-fqcj-7xwh/GHSA-pv22-fqcj-7xwh.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pv22-fqcj-7xwh",
+  "modified": "2025-05-06T00:42:04Z",
+  "published": "2025-05-06T00:42:04Z",
+  "aliases": [],
+  "summary": "Inspektor Gadget Security Policies Can be Bypassed",
+  "details": "Security policies like [`allowed-gadgets`](https://inspektor-gadget.io/docs/latest/reference/restricting-gadgets),  [`disallow-pulling`](https://inspektor-gadget.io/docs/latest/reference/disallow-pulling), [`verify-image`](https://inspektor-gadget.io/docs/latest/reference/verify-assets#verify-image-based-gadgets) can be bypassed by a malicious client.\n\n### Impact\n\nUsers running `ig` in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the `ig daemon` case or access to the cluster in the Kubernetes case. \n\n### Patches\n\nThe issue has been fixed in v0.40.0\n\n### Workarounds\n\nThere is not known workaround to fix it.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/inspektor-gadget/inspektor-gadget"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.31.0"
+            },
+            {
+              "fixed": "0.40.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-pv22-fqcj-7xwh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/inspektor-gadget/inspektor-gadget/commit/c51d419964f5b6f9344fcad4faba70e2e025212b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/inspektor-gadget/inspektor-gadget"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-06T00:42:04Z",
+    "nvd_published_at": null
+  }
+}
