GHSA-cwf6-xj49-wp83

Suggest an improvement
Source
https://github.com/advisories/GHSA-cwf6-xj49-wp83
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-cwf6-xj49-wp83/GHSA-cwf6-xj49-wp83.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cwf6-xj49-wp83
Aliases
Published
2023-04-12T20:40:38Z
Modified
2024-08-20T20:59:03.124915Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenFeature Operator vulnerable to Cluster-level Privilege Escalation
Details

Impact

On a node controlled by an attacker or malicious user, the lax permissions configured on open-feature-operator-controller-manager can be used to further escalate the privileges of any service account in the cluster.

The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets.

Patches

The patch mitigates this issue by restricting the resources the open-feature-operator-controller-manager can modify.

Database specific
{
    "nvd_published_at": "2023-04-14T19:15:00Z",
    "github_reviewed_at": "2023-04-12T20:40:38Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-269"
    ]
}
References

Affected packages

Go / github.com/open-feature/open-feature-operator

Package

Name
github.com/open-feature/open-feature-operator
View open source insights on deps.dev
Purl
pkg:golang/github.com/open-feature/open-feature-operator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.32