CVE-2022-24829

Name of the Vulnerable Software and Affected Versions Garden versions prior to 0.12.39

Description Garden is an automation platform for Kubernetes development and testing. In some operating modes, multiple endpoints did not require authentication, allowing an attacker to gain access to the application erroneously. The configuration is leaked through the "/api" endpoint on the local server responsible for serving the Garden dashboard. This server is accessible to anyone on the same network, or anyone on the internet if they are on a public, static IP, which may lead to the ability to compromise credentials, secrets, or environment variables.

Recommendations For versions prior to 0.12.39, upgrade to version 0.12.39 as soon as possible. For users unable to upgrade, use a firewall to block access to port 9777 from all untrusted network machines.