CVE-2021-36779 CRITICAL

CVE-2021-36779: Host operations allowed in privileged Longhorn managed pods

Vendor Suse
Product Longhorn
Weakness CWE-306 · Missing auth
Published December 17, 2021
Last update September 16, 2024

CVSS base score

9.6/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.

Key dates

02Disclosure timeline

December 17, 2021 CVE published
September 16, 2024 Record updated