Can you explain this vulnerability to me?

This vulnerability exists in the Air Traffic Controller (ATC) component of Yoke, a Helm-inspired infrastructure-as-code package deployer. In versions 0.19.0 and earlier, the ATC webhook endpoints do not have proper authentication mechanisms. This means that any pod within the cluster network can send AdmissionReview requests directly to the webhook, bypassing the Kubernetes API Server's authentication controls.

As a result, attackers can trigger the execution of WASM modules in the ATC controller context without proper authorization.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Because the vulnerability allows unauthorized pods within the cluster to send AdmissionReview requests and trigger WASM module execution in the ATC controller, it can lead to unauthorized actions being performed within the infrastructure deployment process.

Specifically, the impact includes the potential for attackers to manipulate or interfere with infrastructure-as-code deployments, which could compromise the integrity of the deployed environment.

The CVSS score of 7.5 indicates a high severity, with no privileges required and no user interaction needed, making exploitation relatively easy within the cluster network.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

I don't know

Useful 0 Not Useful 0