CVE-2023-5408 Openshift: modification of node role labels

2023-11-0202:55:58

CWE-269

redhat

www.cve.org

openshift

privilege escalation

kube api server

remote attacker

node role label

worker nodes

cluster

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.6%

JSON

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.11",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-kube-apiserver-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.11.0-202311211130.p0.g7021090.assembly.stream",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.11::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.12",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-kube-apiserver-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.12::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.13",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-kube-apiserver-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.13.0-202310210425.p0.gd525f5d.assembly.stream",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.13::el9",
      "cpe:/a:redhat:openshift:4.13::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.14",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-kube-apiserver-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.14.0-202310201027.p0.g8b38d12.assembly.stream",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.14::el9",
      "cpe:/a:redhat:openshift:4.14::el8"
    ]
  }
]