CVE-2024-41820
CVSS V2 None
CVSS V3 None
Description
Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2024-41820
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-08-05T20:07:49.048Z
- Last Modified Date
- 2024-08-05T20:07:49.048Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpg | x_refsource_CONFIRM |
| https://github.com/kubean-io/kubean/issues/1326 | x_refsource_MISC |
| https://github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7ef | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-41820 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41820 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-08-06 13:06:57 | Added to TrackCVE |