CVE-2024-5042

Summary

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

Affected Software

VendorProductVersion RangeStatus
0 < 0.14.9affected
0.15.0 < 0.15.5affected
0.16.0 < 0.16.7affected
0.17.0 < 0.17.2affected
0.18.0-m0 < 0.18.0-rc0affected
Red HatRHODF-4.16-RHEL-9v4.16.0-19 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774540992 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774540668 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541259 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541345 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541880 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541518 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541420 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541448 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541663 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541469 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774542075 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541617 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541614 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541633 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541625 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541625 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774542179 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541779 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541857 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541919 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774541919 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.21774542101 < *unaffected

Weaknesses

  • CWE-250: Execution with Unnecessary Privileges

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References