|1.0||March 16, 2022||Initial Reason|
Keptn webhook-service in version 0.10.0 and newer.
Keptn webhook-service in version 0.10.0 and newer allow directly accessing the Kubernetes APIs. Furthermore, Kubernetes tokens, such as the service account token, could be leaked. The tokens could be exploited to read/write/delete the secrets created and managed by Keptn. This includes all secrets created via:
keptn create secret;
The tokens that could be leaked do not compromise the Keptn configuration. Access to the Git tokens for configured upstreams is not compromised.
The severity of the vulnerability of webhook-service are:
Token Leak: CVSS v3.0 Vector Score 4.5:
Kubernetes API access: CVSS v3.0 Vector Score 8.3:
Note: The calculation of the CVSS is based on a Keptn 0.13.2 installation.
The release of webhook-service in version 0.12.4 and 0.13.3 (and following versions) contains fixes to the aforementioned issues. We recommend upgrading to one of these versions as soon as possible. Furthermore, we recommend rotating all credentials stored as Keptn secret. Also, investigation of downstream services is recommended.