EUVD-2023-2961

Malicious code in bioql PyPI...

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials through the TokenReview API and PolicyBinding resource. An attacker can escalate privileges and potentially access sensitive data by exploiting the improper validation of service account tokens and...

Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

Prevent token leakage / privilege escalation MinIO Operator STS: A Quick Overview MinIO Operator STS is a native IAM Authentication for Kubernetes. MinIO Operator offers support for Secure Tokens a.k.a. STS which are a form of temporary access credentials for your MinIO Tenant. In essence, this...

GHSA-28GR-56HR-PRP6 Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...

Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions in the validateMultitenancy function, invoked when creating a ServiceAccount, ClusterRole, or ClusterRoleBinding during a TempoStack or TempoMonolithic instance deployment. A user with full access to their...

Privilege escalation

capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the TokenReview result. All the clusters running with the anonymous-auth Kubernetes API...

GHSA-FPVW-6M5V-HQFP Capsule Proxy Authentication bypass using an empty token

The privilege escalation is based on a missing check if the user is authenticated based on the TokenReview result. All the clusters running with the anonymous-auth Kubernetes API Server setting disable set to false are affected since it would be possible to bypass the token review mechanism,...

PT-2023-30775 · Unknown · Capsule-Proxy

Name of the Vulnerable Software and Affected Versions: capsule-proxy versions prior to 0.4.6 Description: The issue is a privilege escalation vulnerability based on a missing check if the user is authenticated based on the TokenReview result. This affects clusters running with the anonymous-auth...