Описание
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
A flaw was found in the Kubernetes API server, where it allows an attacker to escalate their privileges from a compromised node. This flaw allows an attacker who can intercept requests on a compromised node, to redirect those requests, along with their credentials, to perform actions on other endpoints that trust those credentials (including other clusters), allowing for escalation of privileges. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
Отчет
Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits. Hence, this flaw does not affect heketi.
Меры по смягчению последствий
No mitigation is known.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-openshift-apiserver-rhel9 | Not affected | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2020:5363 | 16.12.2020 |
| Red Hat OpenShift Container Platform 4.4 | openshift | Fixed | RHSA-2021:0030 | 13.01.2021 |
| Red Hat OpenShift Container Platform 4.4 | openshift4/ose-hyperkube | Fixed | RHSA-2021:0281 | 03.02.2021 |
| Red Hat OpenShift Container Platform 4.5 | openshift4/ose-hyperkube | Fixed | RHSA-2020:5194 | 01.12.2020 |
| Red Hat OpenShift Container Platform 4.6 | openshift | Fixed | RHBA-2020:4197 | 27.10.2020 |
| Red Hat OpenShift Container Platform 4.6 | openshift4/ose-hyperkube | Fixed | RHSA-2020:4298 | 27.10.2020 |
Показывать по
Дополнительная информация
Статус:
6.4 Medium
CVSS3
Связанные уязвимости
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions pri ...
6.4 Medium
CVSS3