Submariner-operator: rbac permissions can allow for the spread of node compromises

CVE-2024-5042

6.6MEDIUM

Key Information

Vendor: Red Hat
Status: Rhodf-4.16-rhel-9; Red Hat Advanced Cluster Management For Kubernetes 2
Vendor: CVE Published:; 17 May 2024

Summary

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

Affected Version(s)

RHODF-4.16-RHEL-9 <= v4.16.0-19

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Risk change from: null to: 6.6 - (MEDIUM)
May 17, 2024
Vulnerability Reserved.
May 17, 2024
Vulnerability published.
May 17, 2024
Reported to Red Hat.
May 15, 2024

Collectors

NVD DatabaseMitre Database