{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5408", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-04T17:58:23.775Z", "datePublished": "2023-11-02T02:55:58.195Z", "dateUpdated": "2025-10-09T11:51:21.900Z"}, "containers": {"cna": {"title": "Openshift: modification of node role labels", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.11", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-cluster-kube-apiserver-operator", "defaultStatus": "affected", "versions": [{"version": "v4.11.0-202311211130.p0.g7021090.assembly.stream", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.11::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.12", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-cluster-kube-apiserver-operator", "defaultStatus": "affected", "versions": [{"version": "v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.12::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-cluster-kube-apiserver-operator", "defaultStatus": "affected", "versions": [{"version": "v4.13.0-202310210425.p0.gd525f5d.assembly.stream", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el9", "cpe:/a:redhat:openshift:4.13::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-cluster-kube-apiserver-operator", "defaultStatus": "affected", "versions": [{"version": "v4.14.0-202310201027.p0.g8b38d12.assembly.stream", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5006", "name": "RHSA-2023:5006", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6130", "name": "RHSA-2023:6130", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6842", "name": "RHSA-2023:6842", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7479", "name": "RHSA-2023:7479", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5408", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242173", "name": "RHBZ#2242173", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/openshift/kubernetes/pull/1736"}], "datePublic": "2023-10-04T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-269: Improper Privilege Management", "timeline": [{"lang": "en", "time": "2023-10-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-04T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Derek Carr (Red Hat) and Mrunal Patel (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-10-09T11:51:21.900Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.895Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5006", "name": "RHSA-2023:5006", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6130", "name": "RHSA-2023:6130", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6842", "name": "RHSA-2023:6842", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7479", "name": "RHSA-2023:7479", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5408", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242173", "name": "RHBZ#2242173", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/openshift/kubernetes/pull/1736", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.13:*:*:*:*:*:*:*", "matchCriteriaId": "1FFF1D51-ABA8-4E54-B81C-A88C8A5E4842", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.14:*:*:*:*:*:*:*", "matchCriteriaId": "486B3F69-1551-4F8B-B25B-A5864248811B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de escalada de privilegios en el complemento de admisi\u00f3n de restricci\u00f3n de nodos del servidor API de Kubernetes de OpenShift. Un atacante remoto que modifique la etiqueta de funci\u00f3n del nodo podr\u00eda dirigir cargas de trabajo desde el plano de control y los nodos etcd a diferentes nodos trabajadores y obtener un acceso m\u00e1s amplio al cl\u00faster."}], "id": "CVE-2023-5408", "lastModified": "2024-11-21T08:41:42.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-02T03:15:10.230", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5006"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6130"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6842"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7479"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5408"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242173"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://github.com/openshift/kubernetes/pull/1736"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6130"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6842"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5408"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/openshift/kubernetes/pull/1736"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Derek Carr (Red Hat) and Mrunal Patel (Red Hat).", "affected_release": [{"advisory": "RHSA-2023:7479", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "package": "openshift4/ose-cluster-kube-apiserver-operator:v4.11.0-202311211130.p0.g7021090.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:6842", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/ose-cluster-kube-apiserver-operator:v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2023-11-16T00:00:00Z"}, {"advisory": "RHSA-2023:6130", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-cluster-kube-apiserver-operator:v4.13.0-202310210425.p0.gd525f5d.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:5006", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-cluster-kube-apiserver-operator:v4.14.0-202310201027.p0.g8b38d12.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2023-10-31T00:00:00Z"}], "bugzilla": {"description": "OpenShift: modification of node role labels", "id": "2242173", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242173"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-269", "details": ["A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.", "A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster."], "name": "CVE-2023-5408", "public_date": "2023-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5408\nhttps://github.com/openshift/kubernetes/pull/1736"], "statement": "In order to exploit this flaw, an attacker must already have root access on a workload node.", "threat_severity": "Important"}

{}