Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zd2ZqLTN4OHEtaHJwZ84AA-YQ

Kubean vulnerable to cluster-level privilege escalation

Impact

This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

Patches

=v0.18.0

References

Reporting by @younaman(Nanzi Yang)
https://github.com/kubean-io/kubean/issues/1326

Permalink: https://github.com/advisories/GHSA-3wfj-3x8q-hrpg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zd2ZqLTN4OHEtaHJwZ84AA-YQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 5 days ago

CVSS Score: 6.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

Identifiers: GHSA-3wfj-3x8q-hrpg, CVE-2024-41820
References:

• https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg
• https://github.com/kubean-io/kubean/issues/1326
• https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef
• https://nvd.nist.gov/vuln/detail/CVE-2024-41820
• https://pkg.go.dev/vuln/GO-2024-3039
• https://github.com/advisories/GHSA-3wfj-3x8q-hrpg

Repository: https://github.com/kubean-io/kubean
Blast Radius: 1.0

Affected Packages