CVE-2023-29018 – github.com/open-feature/open-feature-operator

Package

Manager: go
Name: github.com/open-feature/open-feature-operator
Vulnerable Version: >=0 <0.2.32

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00188 pctl0.40823

Details

OpenFeature Operator vulnerable to Cluster-level Privilege Escalation ### Impact On a node controlled by an attacker or malicious user, the lax permissions configured on `open-feature-operator-controller-manager` can be used to further escalate the privileges of any service account in the cluster. The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets. ### Patches The patch mitigates this issue by restricting the resources the `open-feature-operator-controller-manager` can modify.

Metadata

Created: 2023-04-12T20:40:38Z
Modified: 2023-04-25T16:34:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-cwf6-xj49-wp83/GHSA-cwf6-xj49-wp83.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-cwf6-xj49-wp83
Finding: F159
Auto approve: 1