5.9 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
High
kubevirt.io/kubevirt is vulnerable to Improper Access Control. The vulnerability is due to ClusterRole
allowing excessive permissions to list all secrets in the cluster. This setup does not adhere to the principle of least privilege and potentially allowing an attacker to impersonate the service account tied to this ClusterRole
.
CPE | Name | Operator | Version |
---|---|---|---|
kubevirt.io/kubevirt | le | v1.3.0-beta.0 | |
kubevirt.io/kubevirt | le | v1.3.0-beta.0 |