SPIFFE SPIRE up to 0.12.0 FetchX509SVID RPC certificate validation

Summaryinfo

A vulnerability has been found in SPIFFE SPIRE up to 0.8.4/0.9.3/0.10.1/0.11.2/0.12.0 and classified as critical. The affected element is an unknown function of the component FetchX509SVID RPC. This manipulation causes certificate validation. This vulnerability appears as CVE-2021-27098. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical was found in SPIFFE SPIRE up to 0.8.4/0.9.3/0.10.1/0.11.2/0.12.0. Affected by this vulnerability is an unknown part of the component FetchX509SVID RPC. The manipulation with an unknown input leads to a certificate validation vulnerability. The CWE definition for the vulnerability is CWE-295. The product does not validate, or incorrectly validates, a certificate. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was presented 03/06/2021. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2021-27098. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1587.003 according to MITRE ATT&CK.

Upgrading to version 0.8.5, 0.9.4, 0.10.2, 0.11.3 or 0.12.1 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• SPIFFE

Name

• SPIRE

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.8.0
• 0.8.1
• 0.8.2
• 0.8.3
• 0.8.4
• 0.9
• 0.9.0
• 0.9.1
• 0.9.2
• 0.9.3
• 0.10
• 0.10.0
• 0.10.1
• 0.11
• 0.11.0
• 0.11.1
• 0.11.2
• 0.12.0

Website

• Product: https://github.com/spiffe/spire/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion