GoogleOSV:GHSA-MGWR-H7MV-FH29Hwameistor Potential Permission Leakage of Cluster Level
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
Impact
What kind of vulnerability is it? Who is impacted?
This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor’s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.
Patches
Has the problem been patched? What versions should users upgrade to?
>= v0.14.6
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Update and Limit the ClusterRole using security-role.
References
Are there any links users can visit to find out more?
issues:
https://github.com/hwameistor/hwameistor/issues/1457
https://github.com/hwameistor/hwameistor/issues/1460
also reported by users via mails:
sparkEchooo, younaman
References
github.com/hwameistor/hwameistor
github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml
github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450
github.com/hwameistor/hwameistor/issues/1457
github.com/hwameistor/hwameistor/issues/1460
github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29
nvd.nist.gov/vuln/detail/CVE-2024-45054
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%