Описание
Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.
Ссылки
- Product
- Patch
- Issue Tracking
- Issue Tracking
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.14.6 (исключая)
cpe:2.3:a:hwameistor:hwameistor:*:*:*:*:*:go:*:*
EPSS
Процентиль: 18%
0.00058
Низкий
2.8 Low
CVSS3
6.7 Medium
CVSS3
Дефекты
CWE-200
NVD-CWE-noinfo
Связанные уязвимости
CVSS3: 2.3
github
больше 1 года назад
Hwameistor Potential Permission Leakage of Cluster Level
EPSS
Процентиль: 18%
0.00058
Низкий
2.8 Low
CVSS3
6.7 Medium
CVSS3
Дефекты
CWE-200
NVD-CWE-noinfo