#VU78481 Permissions, Privileges, and Access Controls in apiserver


Published: 2023-07-21

Vulnerability identifier: #VU78481

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1260

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
apiserver
Web applications / Other software

Vendor: Kubernetes

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper access restrictions within kube-apiserver. A remote authenticated user with "update, patch" permissions to the "pods/ephemeralcontainers" subresource can bypass SCC admission restrictions and gain control over a privileged pod.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

apiserver: All versions

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2176267

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat build of MicroShift
OpenShift Container Platform 4.10 update for kube-apiserver
Privilege escalation in OpenShift Container Platform 4.12
Privilege escalation in OpenShift Container Platform 4.11
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.13