CVE-2023-2250

2023-04-2421:15:09

CWE-268

redhat

web.nvd.nist.gov

open cluster management

ocm

cve-2023-2250

nvd

security

privilege escalation

kubernetes

cluster security

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.

Affected configurations

Nvd

Vulners

Node

linuxfoundationopen_cluster_managementMatch-

VendorProductVersionCPE
linuxfoundationopen_cluster_management-cpe:2.3:a:linuxfoundation:open_cluster_management:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	open_cluster_management	-	cpe:2.3:a:linuxfoundation:open_cluster_management:-:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "MCE",
    "versions": [
      {
        "version": "2.3.0",
        "status": "affected"
      }
    ]
  }
]