CVE-2023-0923 HIGH

CVE-2023-0923: Odh-notebook-controller-container: missing authorization allows for file contents disclosure

Weakness CWE-862 · Missing authorization
Published September 15, 2023
Last update August 2, 2024

CVSS base score

8.8/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

Key dates

02Disclosure timeline

September 15, 2023 CVE published
August 2, 2024 Record updated