Smira

**Name of the Vulnerable Software and Affected Versions** Omni versions prior to 1.1.5 Omni versions prior to 1.0.2 **Description** Omni, a platform for managing Kubernetes, may disclose sensitive information through an API endpoint in affected versions. The platform operates on bare metal, virtual machines, and cloud infrastructures. **Recommendations** Update Omni to version 1.1.5 or later. Update Omni to version 1.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Omni versions prior to 0.48.0 **Description** Omni, a Kubernetes management platform, has a potential issue where the Wireguard SideroLink component could be exploited to allow unauthorized packet transmission. The system establishes a peer-to-peer connection using WireGuard for mutual authentication and authorization. While the source IP address of incoming packets is validated, the destination address is not. This lack of destination address validation, combined with the untrusted nature of the Talos environment and potential access from workloads with host networking, could allow a malicious workload to send arbitrary packets over the SideroLink interface. **Recommendations** Update to version 0.48.0 or later.

**Name of the Vulnerable Software and Affected Versions** Talos versions prior to 1.2.2 **Description** The issue is related to improper validation of the request while signing a worker node CSR, which might allow a Talos control plane node to issue a Talos API certificate with full access to the Talos API. This could reveal sensitive information and allow full-level access to the cluster. The Talos API join token is stored in the machine configuration on the worker node. Misconfigurations, such as allowing `hostPath` mounts or reading machine configuration from a cloud metadata server, may enable a workload to access the machine configuration and reveal the join token. **Recommendations** For versions prior to 1.2.2, update to Talos 1.2.2 to fix the issue. As a temporary workaround, consider enabling the Pod Security Standards to deny `hostPath` mounts and host networking by default in the baseline policy. Restrict access to the machine configuration and secure access to the cloud metadata server to minimize the risk of exploitation.