Main Vulnerability Database Vulnerabilities #VU75445

Incorrect authorization in Kubevirt - CVE-2023-26484

Published: April 24, 2023

Vulnerability identifier: #VU75445

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-26484

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Kubevirt

Software vendor:
Kubevirt

Description

The vulnerability allows a remote user to compromise the cluster.

The vulnerability exists due to incorrect authorization, which allows the virt-handler service account to modify all node specs. A remote user can elevate privileges beyond the node and gain access to the whole cluster.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://github.com/kubevirt/kubevirt/issues/9109
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2

Incorrect authorization in Kubevirt - CVE-2023-26484

Description

Remediation

External links

Please verify you're human