CVE-2024-32359

Severity CVSS v4.0:

Pending analysis

Type:

CWE-285 Improper Authorization

Publication date:

02/05/2024

Last modified:

03/07/2024

Description

An RBAC authorization risk in Carina v0.13.0 and earlier allows local attackers to execute arbitrary code through designed commands to obtain the secrets of the entire cluster and further take over the cluster.

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H CVSS v3.1 Severity and Metrics:

Base Score: 6.90 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): Low
Availability (A): High

Base Score 3.x

6.90

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

http://carina.com
https://gist.github.com/HouqiyuA/568d9857dab4ddba6b8b6a791e90f906
https://github.com/HouqiyuA/k8s-rbac-poc
https://github.com/carina-io/carina