Closed
Description
In GitHub Security Advisory GHSA-cwf6-xj49-wp83, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/open-feature/open-feature-operator | 0.2.32 | < 0.2.32 |
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/open-feature/open-feature-operator
versions:
- fixed: 0.2.32
packages:
- package: github.com/open-feature/open-feature-operator
summary: ' OpenFeature Operator vulnerable to Cluster-level Privilege Escalation'
description: |-
### Impact
On a node controlled by an attacker or malicious user, the lax permissions configured on `open-feature-operator-controller-manager` can be used to further escalate the privileges of any service account in the cluster.
The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets.
### Patches
The patch mitigates this issue by restricting the resources the `open-feature-operator-controller-manager` can modify.
cves:
- CVE-2023-29018
ghsas:
- GHSA-cwf6-xj49-wp83
references:
- advisory: https://github.com/open-feature/open-feature-operator/security/advisories/GHSA-cwf6-xj49-wp83
- web: https://github.com/open-feature/open-feature-operator/releases/tag/v0.2.32
- advisory: https://github.com/advisories/GHSA-cwf6-xj49-wp83