{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45054", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-21T17:53:51.332Z", "datePublished": "2024-08-28T19:50:22.959Z", "dateUpdated": "2024-08-28T20:09:27.302Z"}, "containers": {"cna": {"title": "Potential Permission Leakage of Cluster Level in hwameistor", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29"}, {"name": "https://github.com/hwameistor/hwameistor/issues/1457", "tags": ["x_refsource_MISC"], "url": "https://github.com/hwameistor/hwameistor/issues/1457"}, {"name": "https://github.com/hwameistor/hwameistor/issues/1460", "tags": ["x_refsource_MISC"], "url": "https://github.com/hwameistor/hwameistor/issues/1460"}, {"name": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450", "tags": ["x_refsource_MISC"], "url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450"}, {"name": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml", "tags": ["x_refsource_MISC"], "url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml"}], "affected": [{"vendor": "hwameistor", "product": "hwameistor", "versions": [{"version": "< 0.14.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-28T19:50:22.959Z"}, "descriptions": [{"lang": "en", "value": "Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role."}], "source": {"advisory": "GHSA-mgwr-h7mv-fh29", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T20:09:15.367119Z", "id": "CVE-2024-45054", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T20:09:27.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T20:09:15.367119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T20:09:19.092Z"}}], "cna": {"title": "Potential Permission Leakage of Cluster Level in hwameistor", "source": {"advisory": "GHSA-mgwr-h7mv-fh29", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "hwameistor", "product": "hwameistor", "versions": [{"status": "affected", "version": "< 0.14.6"}]}], "references": [{"url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29", "name": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hwameistor/hwameistor/issues/1457", "name": "https://github.com/hwameistor/hwameistor/issues/1457", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hwameistor/hwameistor/issues/1460", "name": "https://github.com/hwameistor/hwameistor/issues/1460", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450", "name": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml", "name": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-28T19:50:22.959Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45054", "state": "PUBLISHED", "dateUpdated": "2024-08-28T20:09:27.302Z", "dateReserved": "2024-08-21T17:53:51.332Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-28T19:50:22.959Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hwameistor:hwameistor:*:*:*:*:*:go:*:*", "matchCriteriaId": "789E23CD-2922-45F8-BD3A-AD17E16D06CA", "versionEndExcluding": "0.14.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role."}, {"lang": "es", "value": "Hwameistor es un sistema de almacenamiento local de alta disponibilidad para cargas de trabajo nativas de la nube con estado. Este ClusterRole tiene * verbos de * recursos. Si un usuario malintencionado puede acceder al nodo de trabajo que tiene la implementaci\u00f3n de hwameistor, puede abusar de estos permisos excesivos para hacer lo que quiera con todo el cl\u00faster, lo que da como resultado una escalada de privilegios a nivel de cl\u00faster. Este problema se ha corregido en la versi\u00f3n 0.14.6. Se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben actualizar y limitar el ClusterRole mediante security-role."}], "id": "CVE-2024-45054", "lastModified": "2024-09-12T17:50:11.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-28T20:15:08.547", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/hwameistor/hwameistor/issues/1457"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/hwameistor/hwameistor/issues/1460"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}