GHSA-6fg2-hvj9-832f

Source

https://github.com/advisories/GHSA-6fg2-hvj9-832f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6fg2-hvj9-832f/GHSA-6fg2-hvj9-832f.json

Aliases

CVE-2024-33398

Published

2024-05-03T18:30:36Z

Modified

2024-05-03T21:11:44.798928Z

Summary

piraeus-operator allows attacker to impersonate service account

Details

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-33398
https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb
https://github.com/HouqiyuA/k8s-rbac-poc
https://github.com/piraeusdatastore/piraeus-operator
https://piraeus.io

Affected packages

Go / github.com/piraeusdatastore/piraeus-operator/v2

Package

Name: github.com/piraeusdatastore/piraeus-operator/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Last affected

2.5.0