Lucene search

Veracode Vulnerability DatabaseVERACODE:48459

HistoryAug 13, 2024 - 5:43 a.m.

Improper Access Control

2024-08-1305:43:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

improper access control

vulnerability

rbac

etcd

tcps api servers

data access

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

25.5%

JSON

github.com/clastix/kamaji is vulnerable to Improper Access Control. The vulnerability is due to inadequate use of an “open at the top” range definition in RBAC for etcd roles, which allows some TCPs API servers to read, write, and delete data of other control planes.

References

github.com/advisories/GHSA-6r4j-4rjc-8vw5

github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24

github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db

github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

25.5%

JSON

Related for VERACODE:48459