Bug 1191819 - (CVE-2021-36780) VUL-0: CVE-2021-36780: Unauthorized data access from replicas through vulnerable instance manager pods
VUL-0: CVE-2021-36780: Unauthorized data access from replicas through vulnera...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Critical
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-10-19 09:48 UTC by David Ko
Modified: 2021-12-17 07:07 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 4 David Ko 2021-10-19 12:39:00 UTC
(In reply to Johannes Segitz from comment #3)
> can you please provide the information about the issue here or link to the
> github issue so we can evaluate before we assign? Thanks

https://github.com/longhorn/security/issues/2 (this is a private issue you can't access, but you can the info below)

It's related to https://github.com/longhorn/longhorn/issues/1805.

Users are able to read data from the replica during the engine controller downtime.
Comment 5 Marcus Meissner 2021-11-02 09:10:52 UTC
use CVE-2021-36780
Comment 6 David Ko 2021-12-17 05:27:32 UTC
https://github.com/longhorn/longhorn/security/advisories/GHSA-27q8-g55w-83p9 published. 

Please help publish to Mitre. Thank you.
Comment 7 Johannes Segitz 2021-12-17 07:07:35 UTC
public and fixed