Host operations allowed in privileged Longhorn managed pods
CVE-2021-36779

9.6CRITICAL

Key Information:

Vendor: Suse
Status: Longhorn
Vendor: CVE Published:; 17 December 2021

Summary

A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.

Affected Version(s)

Longhorn longhorn < 1.1.3

Longhorn longhorn < 1.2.3

References

https://bugzilla.suse.com/show_bug.cgi?id=1191818

https://github.com/longhorn/longhorn/security/advisories/...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2021
Vulnerability Reserved
Jul 19, 2021

Credit

Dagan Henderson and Will Kline