CVE-2024-42480: RBAC Roles for `etcd` created by Kamaji are not disjunct
Using an “open at the top” range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes.
References
- github.com/advisories/GHSA-6r4j-4rjc-8vw5
- github.com/clastix/kamaji
- github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go
- github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db
- github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5
- nvd.nist.gov/vuln/detail/CVE-2024-42480
Detect and mitigate CVE-2024-42480 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →