CVE-2024-33398: piraeus-operator allows attacker to impersonate service account

May 3, 2024

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.

References

gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb
github.com/HouqiyuA/k8s-rbac-poc
github.com/advisories/GHSA-6fg2-hvj9-832f
github.com/piraeusdatastore/piraeus-operator
nvd.nist.gov/vuln/detail/CVE-2024-33398
piraeus.io/

Detect and mitigate CVE-2024-33398 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →