CVE-2023-32191

Summary

When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.

Affected Software

VendorProductVersion RangeStatus
SUSErke1.4.18 < 1.4.19affected
SUSErke1.5.9 < 1.5.10affected

Weaknesses

  • CWE-922: CWE-922: Insecure Storage of Sensitive Information

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References