CVE-2022-23509

Name of the Vulnerable Software and Affected Versions Weave GitOps versions prior to v0.12.0

Description The communication between GitOps Run and the local S3 bucket is not encrypted, allowing privileged users or processes to tap the local traffic and gain information permitting access to the S3 bucket. This could result in changes to the bucket content, leading to modifications in the Kubernetes cluster's resources. There are no known workarounds for this issue.

Recommendations For Weave GitOps versions prior to v0.12.0, upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. As a temporary workaround, consider restricting access to the local S3 bucket to minimize the risk of exploitation.