Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/kubean-io/kubean: GHSA-3wfj-3x8q-hrpg #3039

Closed
GoVulnBot opened this issue Aug 5, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/kubean-io/kubean: GHSA-3wfj-3x8q-hrpg #3039

GoVulnBot opened this issue Aug 5, 2024 · 2 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-3wfj-3x8q-hrpg references a vulnerability in the following Go modules:

Module
github.com/kubean-io/kubean

Description:

Impact

This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

Patches

>=v0.18.0

References

Reporting by @younaman(Nanzi Yang)
kubean-io/kubean#1326

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/kubean-io/kubean
      versions:
        - fixed: 0.18.0
      vulnerable_at: 0.17.5
summary: Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean
cves:
    - CVE-2024-41820
ghsas:
    - GHSA-3wfj-3x8q-hrpg
references:
    - advisory: https://github.com/advisories/GHSA-3wfj-3x8q-hrpg
    - advisory: https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg
    - fix: https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef
    - report: https://github.com/kubean-io/kubean/issues/1326
source:
    id: GHSA-3wfj-3x8q-hrpg
    created: 2024-08-05T17:01:17.337017445Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

@tatianab tatianab mentioned this issue Aug 16, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 8 reports
9fd9786 
  - data/reports/GO-2024-2993.yaml
  - data/reports/GO-2024-2997.yaml
  - data/reports/GO-2024-3033.yaml
  - data/reports/GO-2024-3039.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2982.yaml
  - data/reports/GO-2024-3066.yaml
  - data/reports/GO-2024-3070.yaml

Updates #2993
Updates #2997
Updates #3033
Updates #3039
Updates #2921
Updates #2982
Updates #3066
Updates #3070

Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot