Execution with unnecessary privileges in Submariner

#VU94614 Execution with unnecessary privileges in Submariner

Published: 2024-07-19

Vulnerability identifier: #VU94614

Vulnerability risk: Medium

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-5042

CWE-ID: CWE-250

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Submariner
Server applications / Other server solutions

Vendor: Submariner

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unnecessary role-based access control permissions. A local user can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Submariner: 0.17.0 - 0.17.1, 0.16.0 - 0.16.3, 0.15.0 - 0.15.3, 0.14.0 - 0.14.7

External links
http://access.redhat.com/security/cve/CVE-2024-5042
http://bugzilla.redhat.com/show_bug.cgi?id=2280921
http://github.com/advisories/GHSA-2rhx-qhxp-5jpw
http://access.redhat.com/errata/RHSA-2024:4591

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Data Foundation

Privilege escalation in Submariner