CVE-2023-3027

2023-06-0522:15:12

CWE-269

[email protected]

web.nvd.nist.gov

grc-policy-propagator

security escalation

cluster scoped access

dynamic values

namespace restriction

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.

Affected configurations

Nvd

Node

redhatadvanced_cluster_management_for_kubernetesMatch2.5

redhatadvanced_cluster_management_for_kubernetesMatch2.6

redhatadvanced_cluster_management_for_kubernetesMatch2.7

VendorProductVersionCPE
redhatadvanced_cluster_management_for_kubernetes2.5cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.5:*:*:*:*:*:*:*
redhatadvanced_cluster_management_for_kubernetes2.6cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.6:*:*:*:*:*:*:*
redhatadvanced_cluster_management_for_kubernetes2.7cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	advanced_cluster_management_for_kubernetes	2.5	cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.5:::::::*
redhat	advanced_cluster_management_for_kubernetes	2.6	cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.6:::::::*
redhat	advanced_cluster_management_for_kubernetes	2.7	cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.7:::::::*