Skip to main content

Kubean CVE-2024-41820

MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2024-08-05 security-advisories@github.com
6.0
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.0 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 05, 2024 - 20:15 cve.org
MEDIUM 6.0

DescriptionCVE.org

Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. Version information: version 0.18.0..

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.

Share

CVE-2024-41820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy