CVE-2021-43979
MEDIUMStyra Open Policy Agent (OPA) Gatekeeper <3.7.0 - Info Disclosure
Title source: llmDescription
Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/hkerma/opa-gatekeeper-concurrency-issue
Patch, Third Party Advisory x_refsource_misc
https://github.com/open-policy-agent/gatekeeper/releases
Scores
CVSS v3
5.3
EPSS
0.0091
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-670
Status
published
Products (1)
openpolicyagent/gatekeeper
< 3.7.0
Published
Nov 17, 2021
Tracked Since
Feb 18, 2026