Unauthorized data access from replicas through vulnerable instance manager pods

CVE-2021-36780

8.1HIGH

Key Information

Vendor: Suse
Status: Longhorn
Vendor: CVE Published:; 17 December 2021

Summary

A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v.

Affected Version(s)

Longhorn < 1.1.3

Longhorn < 1.2.3v

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Dec 17, 2021
Vulnerability Reserved.
Jul 19, 2021

Collectors

NVD DatabaseMitre Database

Credit

Dagan Henderson and Will Kline