Skip to content

Kubean vulnerable to cluster-level privilege escalation

Moderate severity GitHub Reviewed Published Aug 5, 2024 in kubean-io/kubean • Updated Sep 6, 2024

Package

gomod github.com/kubean-io/kubean (Go)

Affected versions

< 0.18.0

Patched versions

0.18.0

Description

Impact

This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

Patches

=v0.18.0

References

Reporting by @younaman(Nanzi Yang)
kubean-io/kubean#1326

References

@tu1h tu1h published to kubean-io/kubean Aug 5, 2024
Published to the GitHub Advisory Database Aug 5, 2024
Reviewed Aug 5, 2024
Published by the National Vulnerability Database Aug 5, 2024
Last updated Sep 6, 2024

Severity

Moderate

EPSS score

0.045%
(16th percentile)

Weaknesses

CVE ID

CVE-2024-41820

GHSA ID

GHSA-3wfj-3x8q-hrpg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.