Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-1833

Опубликовано: 15 июн. 2022
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.

A flaw was found in AMQ Broker Operator, installed via UI using the OperatorHub. In this vulnerability, a low-privilege user with access to the Operator deployed namespace has access to cluster-wide edit rights. This flaw allows an attacker to have full cluster management access.

Меры по смягчению последствий

In order to have these privileges correctly set in this version, opt for using the CLI method at https://access.redhat.com/documentation/en-us/red_hat_amq/7.4/html/deploying_amq_broker_on_openshift_container_platform/broker-operator-broker-ocp#operator-install-broker-ocp Make sure to use the latest available version in order to have access to the latest bug and security fixes.

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-276
https://bugzilla.redhat.com/show_bug.cgi?id=2089406amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure

EPSS

Процентиль: 55%
0.00321
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2022-1833

CVSS3: 8.8
nvd
больше 3 лет назад

A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.

github логотип

GHSA-fmxp-97xc-fcmx

CVSS3: 8.8
github
больше 3 лет назад

A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.

EPSS

Процентиль: 55%
0.00321
Низкий

8.8 High

CVSS3