PT-2024-25231 · Unknown · Piraeus-Operator
Houqiyua
·
Published
2024-05-03
·
Updated
2024-07-03
·
CVE-2024-33398
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
piraeus-operator versions 2.5.0 and earlier
Description
The issue allows an attacker to impersonate the service account bound to a ClusterRole in piraeus-operator, which has been granted list secrets permission. This permission enables the attacker to list confidential information across the cluster, posing a high risk.
Recommendations
For piraeus-operator versions 2.5.0 and earlier, consider restricting the privileges of the ClusterRole to prevent an attacker from listing secrets.
As a temporary workaround, consider disabling the list secrets permission for the ClusterRole until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Piraeus-Operator