GHSA-pv22-fqcj-7xwh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pv22-fqcj-7xwh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-pv22-fqcj-7xwh/GHSA-pv22-fqcj-7xwh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pv22-fqcj-7xwh
- Aliases
- Published
- 2025-05-06T00:42:04Z
- Modified
- 2025-05-06T19:13:21Z
- Severity
-
- 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H CVSS Calculator
- Summary
- Inspektor Gadget Security Policies Can be Bypassed
- Details
-
Security policies like <code>allowed-gadgets</code>, <code>disallow-pulling</code>, <code>verify-image</code> can be bypassed by a malicious client.
Impact
Users running
igin daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on theig daemoncase or access to the cluster in the Kubernetes case.Patches
The issue has been fixed in v0.40.0
Workarounds
There is not known workaround to fix it.
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed_at": "2025-05-06T00:42:04Z", "github_reviewed": true, "cwe_ids": [ "CWE-285" ] }- References
Affected packages
Go / github.com/inspektor-gadget/inspektor-gadget
Package
- Name
- github.com/inspektor-gadget/inspektor-gadget
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/inspektor-gadget/inspektor-gadget