PT-2023-22090 · Unknown · Openfeature Operator
Younaman
·
Publicado
2023-04-12
·
Atualizado
2024-08-20
·
CVE-2023-29018
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenFeature Operator versions prior to 0.2.32
Description
The issue allows an attacker to escalate the privileges of any service account in the cluster, assuming the pre-existence of a vulnerability that enables arbitrary code execution. This could lead to modification of cluster state, resulting in Denial of Service (DoS), or reading sensitive data, including secrets. The lax permissions configured on
open-feature-operator-controller-manager are leveraged to achieve this escalation.Recommendations
For versions prior to 0.2.32, update to version 0.2.32 to mitigate the issue by restricting the resources the
open-feature-operator-controller-manager can modify. As a temporary workaround, consider restricting the permissions of the open-feature-operator-controller-manager to minimize the risk of exploitation.Exploit
Correção
Improper Privilege Management
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openfeature Operator