Malicious links can be crafted by users and shown in the UI
The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource.
The attacker does not need access to the Weave GitOps UI to craft an attack. It could be crafted by modifying the resources via Git repository or Kubernetes API.
Given that the exposure comes from modifications done in
GitopsCluster objects, the mitigation comes around establishing the controls to avoid that an attacker could modify them.
- Via Git, by ensuring that no modifications to
GitopsClusterare done without review or control that avoids it.
- Via Kubernetes API, by ensuring that access to
GitopsClusterresources is properly protected via RBAC.
For more information
If you have any questions or comments about this advisory:
- Email us at firstname.lastname@example.org