CVE-2023-3775

Опубликовано: 29 сент. 2023

Источник: redhat

CVSS3: 4.2

Описание

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.

A flaw was found in the Vault Enterprise. A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in a denial of service.

Отчет

This issue affects Vault Enterprise versions which are not shipped in any Red Hat Products.

Затронутые пакеты

Платформа	Пакет	Состояние
cert-manager Operator for Red Hat OpenShift	cert-manager/jetstack-cert-manager-rhel9	Not affected
OpenShift Pipelines	openshift-pipelines-client	Not affected
OpenShift Serverless	openshift-serverless-1/client-kn-rhel8	Not affected
OpenShift Serverless	openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8	Not affected
Red Hat Ceph Storage 5	rhceph/rhceph-5-dashboard-rhel8	Not affected
Red Hat OpenShift Container Platform 4	openshift4/ose-contour-rhel8	Not affected
Red Hat OpenShift Container Platform 4	openshift4/topology-aware-lifecycle-manager-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	mcg	Not affected
Red Hat Openshift Container Storage 4	ocs4/mcg-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	ocs4/ocs-rhel8-operator	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-400

https://bugzilla.redhat.com/show_bug.cgi?id=2241306hashicorp/vault: vault enterprise’s sentinel RGP policies allowed for cross-namespace denial of service

4.2 Medium

CVSS3

Связанные уязвимости

CVE-2023-3775

CVSS3: 4.2

nvd

больше 2 лет назад

GHSA-37gg-8xjr-m6x4

CVSS3: 4.2

github

больше 2 лет назад

4.2 Medium

CVSS3