{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5056", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-18T18:33:13.584Z", "datePublished": "2023-12-18T13:43:07.807Z", "dateUpdated": "2024-09-16T13:53:32.105Z"}, "containers": {"cna": {"title": "Skupper-operator: privelege escalation via config map", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview."}], "affected": [{"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-config-sync-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.4.3-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-flow-collector-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.4.3-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.4.3-6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-router-rhel9", "defaultStatus": "affected", "versions": [{"version": "2.4.3-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-service-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.4.3-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-site-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.4.3-6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6219", "name": "RHSA-2023:6219", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5056", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517", "name": "RHBZ#2239517", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-10-26T14:58:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-862: Missing Authorization", "timeline": [{"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-26T14:58:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T13:53:32.105Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:53.783Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6219", "name": "RHSA-2023:6219", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5056", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517", "name": "RHBZ#2239517", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:service_interconnect:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "12B0CF2B-D1E1-4E20-846E-6F0D873499A9", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el operador Skupper, que puede permitir que una determinada configuraci\u00f3n cree una cuenta de servicio que permitir\u00eda a un atacante autenticado en el cl\u00faster adyacente ver las implementaciones en todos los espacios de nombres del cl\u00faster. Este problema permite la visualizaci\u00f3n no autorizada de informaci\u00f3n fuera del \u00e1mbito del usuario."}], "id": "CVE-2023-5056", "lastModified": "2023-12-29T18:14:30.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-12-18T14:15:10.133", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6219"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5056"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.4.3-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.4.3-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.4.3-6", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.4.3-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.4.3-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:6219", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.4.3-6", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2023-10-31T00:00:00Z"}], "bugzilla": {"description": "skupper-operator: privelege escalation via config map", "id": "2239517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-862", "details": ["A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.", "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview."], "name": "CVE-2023-5056", "public_date": "2023-10-26T14:58:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5056\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5056"], "threat_severity": "Important"}