Weave Gitops Run vulnerable to insecure communication

Vulnerability

Analysis

CVE-2022-23509 affects Weave GitOps, an open-source developer platform for Kubernetes GitOps workflows. The vulnerability resides in the gitops run command, which provisions a local S3 bucket to synchronize files that are later applied against a Kubernetes cluster. The communication between the GitOps Run process and this local S3 bucket occurs over unencrypted HTTP, enabling any privileged user or process on the same host to capture network traffic [1][2].

Exploitation

An attacker with local access (e.g., a malicious process or a user with elevated privileges) can sniff the unencrypted traffic between GitOps Run and the S3 bucket. By intercepting this traffic, the attacker gains the credentials or session information needed to authenticate to the bucket. Once authenticated, the attacker can read, modify, or delete objects stored in the bucket, altering the intended deployment state [2].

Impact

Successful exploitation allows the attacker to tamper with the bucket contents, which directly translates into changes in the Kubernetes cluster's resources. Since the files in the bucket are applied to the cluster, an attacker could inject malicious manifests, disrupt workloads, or escalate privileges within the cluster [2]. The vulnerability has a CVSS severity associated with high impact on integrity and potential confidentiality.

Mitigation

The Weave GitOps development team has fixed the issue in commits ce2bbff [1] and babd915 [3] by enabling HTTPS for the local S3 bucket server, encrypting all communication. Users should upgrade to Weave GitOps version v0.12.0 or later, released on 2022-12-08 [2]. No workarounds were available at the time of disclosure.