CVE-2023-3027

Published: Jun 5, 2023Modified: Jan 8, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.

Affected (3)

Products: Redhat: Advanced Cluster Management For Kubernetes

Redhat

1 product

Advanced Cluster Management For Kubernetes

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Advanced Cluster Management For Kubernetes	Version 2.5
Redhat Advanced Cluster Management For Kubernetes	Version 2.6
Redhat Advanced Cluster Management For Kubernetes	Version 2.7

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=2211468#c0

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2211468#c0

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.