CVE-2024-43803: The Bare Metal Operator (BMO) can expose particularly named secrets from other namespaces via BMH CRD
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost (BMH) CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the Name and Namespace of the Secret, meaning that the baremetal-operator will read a Secret from any namespace. A user with access to create or edit a BareMetalHost can thus exfiltrate a Secret from another namespace by using it as e.g. the userData for provisioning some host (note that this need not be a real host, it could be a VM somewhere).
References
- github.com/advisories/GHSA-pqfh-xh7w-7h3p
- github.com/metal3-io/baremetal-operator
- github.com/metal3-io/baremetal-operator/commit/3af4882e9c5fadc1a7550f53daea21dccd271f74
- github.com/metal3-io/baremetal-operator/commit/bedae7b997d16f36e772806681569bb8eb4dadbb
- github.com/metal3-io/baremetal-operator/commit/c2b5a557641bc273367635124047d6c958aa15f7
- github.com/metal3-io/baremetal-operator/security/advisories/GHSA-pqfh-xh7w-7h3p
- nvd.nist.gov/vuln/detail/CVE-2024-43803
Detect and mitigate CVE-2024-43803 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →