CVE-2024-41820

Published: Aug 5, 2024Modified: Aug 6, 2024

6.0

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

Exploitability: 1.2 / Impact: 4.7

Source: security-advisories@github.com (Secondary)

Description

Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (3)

https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef

Source: security-advisories@github.com

https://github.com/kubean-io/kubean/issues/1326

Source: security-advisories@github.com

https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg

Source: security-advisories@github.com

Timeline

No history available yet.