Host operations allowed in privileged Longhorn managed pods

CVE-2021-36779

9.6CRITICAL

Key Information

Vendor: Suse
Status: Longhorn
Vendor: CVE Published:; 17 December 2021

Summary

A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.

Affected Version(s)

Longhorn < 1.1.3

Longhorn < 1.2.3

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Dec 17, 2021
Vulnerability Reserved.
Jul 19, 2021

Collectors

NVD DatabaseMitre Database

Credit

Dagan Henderson and Will Kline