CVE-2022-31066

Name of the Vulnerable Software and Affected Versions EdgeXFoundry versions prior to 2.1.1

Description The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users, bypassing access controls on message bus credentials when running in security-enabled mode. This allows attackers to intercept data or inject fake data into the EdgeX message bus.

Recommendations For EdgeXFoundry versions prior to 2.1.1, upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. As a temporary workaround, consider restricting access to the /api/v2/config endpoint until a patch is available. For specific go modules, docker containers, and snaps, refer to the GitHub Security Advisory for patch information.