CVE-2023-2250

2023-04-2421:15:09

CWE-268

[email protected]

web.nvd.nist.gov

open cluster management

ocm

cve-2023-2250

nvd

security

privilege escalation

kubernetes

cluster security

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.

Affected configurations

Vulners

NVD

Node

mceRange≤2.3.0

CPENameOperatorVersion
linuxfoundation:open_cluster_managementlinuxfoundation open cluster managementeq-

CPE	Name	Operator	Version
linuxfoundation:open_cluster_management	linuxfoundation open cluster management	eq	-

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "MCE",
    "versions": [
      {
        "version": "2.3.0",
        "status": "affected"
      }
    ]
  }
]