Lucene search

MitreCVE-2024-33398

HistoryMay 03, 2024 - 4:15 p.m.

CVE-2024-33398

2024-05-0316:15:11

CWE-269

mitre

web.nvd.nist.gov

cve-2024-33398

clusterrole

piraeus-operator

list secrets permission

attacker

service account

high-risk privileges

confidential information

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

15.5%

JSON

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.

References

gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb

github.com/HouqiyuA/k8s-rbac-poc

github.com/piraeusdatastore/piraeus-operator

piraeus.io/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for CVE-2024-33398