Products
Kubean
- 0.18.0
Source
security-advisories@github.com
Tags
CVE-2024-41820 details
Last Modified : Aug. 5, 2024, 8:15 p.m.
Description
Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6.0 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-732 | Incorrect Permission Assignment for Critical Resource | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
Base Score
6.0
Exploitability Score
1.2
Impact Score
4.7
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
References
| URL | Source |
|---|---|
| https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef | security-advisories@github.com |
| https://github.com/kubean-io/kubean/issues/1326 | security-advisories@github.com |
| https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg | security-advisories@github.com |