Описание
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.
A cross-namespace authorization flaw has been identified in the MARIN3R operator’s DiscoveryServiceCertificate resource. The flaw occurs because the operator mistakenly treats certain inputs as valid, bypassing Kubernetes Role-Based Access Control (RBAC). When a user has permission to create DiscoveryServiceCertificate objects in one Kubernetes namespace, they could exploit the vulnerability to indirectly read Secret objects in other namespaces that they should not have access to.
Отчет
The severity is considered Moderate, because exploitation can be done over the network via the K8s API (AV:N), no unusual conditions are required for the attack (AC:L), however, the attacker must already hold permissions to create DiscoveryServiceCertificate objects in some namespace, without requiring elevated privileges beyond what the user already has for creating DiscoveryServiceCertificate objects. It enables unauthorized disclosure of sensitive secrets across namespace boundaries (only confidentiality impact), without affecting integrity or availability.
Меры по смягчению последствий
As an interim workaround, restrict permissions so that only trusted cluster administrators can create DiscoveryServiceCertificate resources until the update is applied
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.
EPSS
6.5 Medium
CVSS3