GHSA-RF84-WR5G-M3RP CAPM3 vulnerable to Cross-Namespace resource access

Summary CAPM3 is Metal3's Cluster API CAPI provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim...

CVE-2024-43803

A flaw was found in the Bare Metal Operator BMO. The BMO implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost BMH CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for the...

CVE-2024-43803 BMO can expose particularly named secrets from other namespaces via BMH CRD

The Bare Metal Operator BMO implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost BMH CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the Name and Namespace of th...

CVE-2024-43803 BMO can expose particularly named secrets from other namespaces via BMH CRD

The Bare Metal Operator BMO implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost BMH CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the Name and Namespace of th...

PT-2024-30671 · Unknown +1 · Baremetal Operator +2

Name of the Vulnerable Software and Affected Versions: baremetal-operator versions prior to 0.8.0 baremetal-operator versions prior to 0.6.2 baremetal-operator versions prior to 0.5.2 Description: The Bare Metal Operator BMO implements a Kubernetes API for managing bare metal hosts in Metal3. The...