Openshift: modification of node role labels
CVE-2023-5408

7.2HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4.11; Red Hat Openshift Container Platform 4.12; Red Hat Openshift Container Platform 4.13; Red Hat Openshift Container Platform 4.14
Vendor: CVE Published:; 2 November 2023

Summary

A privilege escalation vulnerability exists in the node restriction admission plugin of the Kubernetes API server within OpenShift. An unauthorized remote attacker could exploit this flaw by altering the node role label, enabling them to redirect workloads from the control plane and etcd nodes to different worker nodes. This exploitation can allow for unauthorized access to broader areas within the cluster, potentially compromising the integrity and security of the entire environment.

Affected Version(s)

Red Hat OpenShift Container Platform 4.11 v4.11.0-202311211130.p0.g7021090.assembly.stream

Red Hat OpenShift Container Platform 4.12 v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream

Red Hat OpenShift Container Platform 4.13 v4.13.0-202310210425.p0.gd525f5d.assembly.stream

References

https://access.redhat.com/errata/RHSA-2023:5006

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:6130

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:6842

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 2, 2023
Vulnerability Reserved
Oct 4, 2023

Collectors

NVD DatabaseMitre Database

Credit

This issue was discovered by Derek Carr (Red Hat) and Mrunal Patel (Red Hat).