Decryption doesn't fail when doing from unauthorized service account

Soluto / kamus

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

https://kamus.soluto.io

Apache License 2.0

930 stars 68 forks source link

Decryption doesn't fail when doing from unauthorized service account #526

Closed vivekpd15 closed 4 years ago

vivekpd15 commented 4 years ago

Describe the bug A clear and concise description of what the bug is.

Versions used Kamus (API images): 0.6.7.0 Kamus CLI: 0.3.0 Chart version: 0.4.8 KMS provider: AWS KMS Kubernetes flavour and version: KOPS 1.15.12

To Reproduce Steps to reproduce the behavior:

Encrypt a key with kamus secret with namespace A and service account B
Decrypt the key using namespace C and service account D

Expected behavior Decryption should have failed. It successfully decrypted the key.

omerlh commented 4 years ago

Closing the issue as this is a security issue and should be reported according to our security policy. Please do not use GitHub issue for security reporting.

shaikatz commented 4 years ago

Fixed with https://github.com/Soluto/kamus/commit/a864a3183ad5adc64c78b92cbbc11e4d5ad501a4