CVE-2023-29018

Name of the Vulnerable Software and Affected Versions OpenFeature Operator versions prior to 0.2.32

Description The issue allows an attacker to escalate the privileges of any service account in the cluster, assuming the pre-existence of a vulnerability that enables arbitrary code execution. This could lead to modification of cluster state, resulting in Denial of Service (DoS), or reading sensitive data, including secrets. The lax permissions configured on open-feature-operator-controller-manager are leveraged to achieve this escalation.

Recommendations For versions prior to 0.2.32, update to version 0.2.32 to mitigate the issue by restricting the resources the open-feature-operator-controller-manager can modify. As a temporary workaround, consider restricting the permissions of the open-feature-operator-controller-manager to minimize the risk of exploitation.