GHSA-mgwr-h7mv-fh29: Hwameistor Potential Permission Leakage of Cluster Level

Package

gomod github.com/hwameistor/hwameistor (Go)

Affected versions

<= 0.14.5

Patched versions

0.14.6

Description

Impact

What kind of vulnerability is it? Who is impacted?
This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor’s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

Patches

Has the problem been patched? What versions should users upgrade to?

= v0.14.6

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Update and Limit the ClusterRole using security-role.

References

Are there any links users can visit to find out more?
issues:
hwameistor/hwameistor#1457
hwameistor/hwameistor#1460

also reported by users via mails:
sparkEchooo, younaman

References

• GHSA-mgwr-h7mv-fh29
• https://nvd.nist.gov/vuln/detail/CVE-2024-45054
• hwameistor/hwameistor#1457
• hwameistor/hwameistor#1460
• hwameistor/hwameistor@edf4ceb
• https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml

SSmallMonster published to hwameistor/hwameistor

Aug 28, 2024

Published by the National Vulnerability Database

Aug 28, 2024

Published to the GitHub Advisory Database

Aug 29, 2024

Reviewed

Aug 29, 2024

Last updated

Aug 29, 2024