Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/metal3-io/baremetal-operator: CVE-2024-43803 #3109

Open
GoVulnBot opened this issue Sep 3, 2024 · 0 comments
Open

x/vulndb: potential Go vuln in github.com/metal3-io/baremetal-operator: CVE-2024-43803 #3109

GoVulnBot opened this issue Sep 3, 2024 · 0 comments
Assignees
@tatianab
Labels
possibly not Go triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-43803 references a vulnerability in the following Go modules:

Module
github.com/metal3-io/baremetal-operator

Description:
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost (BMH) CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the Name and Namespace of the Secret, meaning that versions of the baremetal-operator prior to 0.8.0, 0.6.2, and 0.5.2 will read a Secret from any namespace. A user with access to create or edit a BareMetalHost can thus exfiltrate a Secret from another namespace by using it as e.g. the userData for provisi...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/metal3-io/baremetal-operator
      vulnerable_at: 0.8.0
summary: CVE-2024-43803 in github.com/metal3-io/baremetal-operator
cves:
    - CVE-2024-43803
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-43803
    - fix: https://github.com/metal3-io/baremetal-operator/commit/3af4882e9c5fadc1a7550f53daea21dccd271f74
    - fix: https://github.com/metal3-io/baremetal-operator/commit/bedae7b997d16f36e772806681569bb8eb4dadbb
    - fix: https://github.com/metal3-io/baremetal-operator/commit/c2b5a557641bc273367635124047d6c958aa15f7
    - fix: https://github.com/metal3-io/baremetal-operator/pull/1929
    - fix: https://github.com/metal3-io/baremetal-operator/pull/1930
    - fix: https://github.com/metal3-io/baremetal-operator/pull/1931
    - web: https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-pqfh-xh7w-7h3p
source:
    id: CVE-2024-43803
    created: 2024-09-03T20:01:19.986106162Z
review_status: UNREVIEWED
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
possibly not Go triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot