Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenFeature Operator vulnerable to Cluster-level Privilege Escalation
Vulnerability Description
The OpenFeature Operator allows users to expose feature flags to applications. Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on `open-feature-operator-controller-manager` to escalate the privileges of any SA in the cluster. The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets. Version 0.2.32 mitigates this issue by restricting the resources the `open-feature-operator-controller-manager` can modify.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
特权管理不恰当
Vulnerability Title
OpenFeature Operator 安全漏洞
Vulnerability Description
OpenFeature Operator是OpenFeature的用于向应用程序公开功能标志的工具。 OpenFeature Operator 0.2.32之前版本存在安全漏洞,该漏洞源于open-feature-operator-controller-manager上配置的宽松权限可用于升级集群中任何服务帐户的特权。攻击者可利用该漏洞修改集群状态或读取敏感数据。
CVSS Information
N/A
Vulnerability Type
N/A