Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn
Home / Keptn v1 Docs / News / Vulnerability Bulletins / Keptn-Vulnerability-2022-001
Keptn-Vulnerability-2022-001
Version 1.0
Revision Information
| Revision | Updated | Reason |
|---|---|---|
| 1.0 | March 16, 2022 | Initial Reason |
Affected
Keptn webhook-service in version 0.10.0 and newer.
Description
Keptn webhook-service in version 0.10.0 and newer allow directly accessing the Kubernetes APIs. Furthermore, Kubernetes tokens, such as the service account token, could be leaked. The tokens could be exploited to read/write/delete the secrets created and managed by Keptn. This includes all secrets created via:
- the secret management page and the secrets created;
- the CLI with
keptn create secret; - the APIs
/api/secrets/v1.
The tokens that could be leaked do not compromise the Keptn configuration. Access to the Git tokens for configured upstreams is not compromised.
With Keptn versions >0.12.4 and >0.13.3 the bug is fixed (Release 0.12.4 and Release 0.13.3).
Severity
The severity of the vulnerability of webhook-service are:
Token Leak: CVSS v3.0 Vector Score 4.5: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Kubernetes API access: CVSS v3.0 Vector Score 8.3:CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Note: The calculation of the CVSS is based on a Keptn 0.13.2 installation.
Recommendations
The release of webhook-service in version 0.12.4 and 0.13.3 (and following versions) contains fixes to the aforementioned issues. We recommend upgrading to one of these versions as soon as possible. Furthermore, we recommend rotating all credentials stored as Keptn secret. Also, investigation of downstream services is recommended.
Workaround
- Disable the webhook-service.
