Skip to content

Submariner Operator sets unnecessary RBAC permissions in helm charts

Moderate severity GitHub Reviewed Published May 17, 2024 to the GitHub Advisory Database • Updated May 20, 2024

Package

gomod github.com/submariner-io/submariner-operator (Go)

Affected versions

< 0.16.4
>= 0.17.0, <= 0.18.0-m3

Patched versions

0.16.4

Description

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

References

Published by the National Vulnerability Database May 17, 2024
Published to the GitHub Advisory Database May 17, 2024
Reviewed May 17, 2024
Last updated May 20, 2024

Severity

Moderate
6.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

Weaknesses

CVE ID

CVE-2024-5042

GHSA ID

GHSA-2rhx-qhxp-5jpw

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.