CVE-2024-52280

Name of the Vulnerable Software and Affected Versions steve versions prior to the versions including the following commits: https://github.com/rancher/steve/commit/2175e090fe4b1e603a54e1cdc5148a2b1c11b4d9 https://github.com/rancher/steve/commit/6e30359c652333a49e229b2791c9b403d5ef81a9 https://github.com/rancher/steve/commit/c744f0b17b88ff5e2fcabc60841174d878ddc88e

Description A vulnerability has been discovered in Steve API, allowing users to watch resources they are not allowed to access when they have at least some generic permissions on the type. For example, a user who can get a single secret in a single namespace can get all secrets in every namespace. This occurs because during a watch request for a single ID, Steve API uses the admin client, which can read all resources, instead of a client that impersonates the user making the request. This allows any requester to see the contents of any object, such as secret keys, signing certificates, and API tokens.

Recommendations To address this issue, update to a version of Steve API that includes the fixes, such as the versions including the following commits: https://github.com/rancher/steve/commit/2175e090fe4b1e603a54e1cdc5148a2b1c11b4d9 https://github.com/rancher/steve/commit/6e30359c652333a49e229b2791c9b403d5ef81a9 https://github.com/rancher/steve/commit/c744f0b17b88ff5e2fcabc60841174d878ddc88e As a temporary workaround, consider restricting access to the watch request with an ID specified, to minimize the risk of exploitation. At the moment, there are no other workarounds for this issue. Users are recommended to upgrade as soon as possible.