CVE-2024-42480 HIGH

CVE-2024-42480: Kamaji's RBAC Roles for `etcd` are not disjunct

Vendor Clastix

Product kamaji

Weakness CWE-284

Published August 12, 2024

Last update August 12, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.

Key dates

02Disclosure timeline

August 12, 2024 CVE published

August 12, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-42480 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2024-42480: Kamaji's RBAC Roles for `etcd` are not disjunct

01Description

02Disclosure timeline

03References

04Related CVE