Kubean vulnerable to cluster-level privilege escalation
Package
Affected versions
< 0.18.0
Patched versions
0.18.0
Description
Published to the GitHub Advisory Database
Aug 5, 2024
Reviewed
Aug 5, 2024
Published by the National Vulnerability Database
Aug 5, 2024
Last updated
Nov 18, 2024
Impact
This ClusterRole has
*
verbs of*
resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.Patches
References
Reporting by @younaman(Nanzi Yang)
kubean-io/kubean#1326
References