A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openshift_container_platform | Redhat | 4.11 (including) | 4.11 (including) |
| Openshift_container_platform | Redhat | 4.12 (including) | 4.12 (including) |
| Openshift_container_platform | Redhat | 4.13 (including) | 4.13 (including) |
| Openshift_container_platform | Redhat | 4.14 (including) | 4.14 (including) |
| Red Hat OpenShift Container Platform 4.11 | RedHat | openshift4/ose-cluster-kube-apiserver-operator:v4.11.0-202311211130.p0.g7021090.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.12 | RedHat | openshift4/ose-cluster-kube-apiserver-operator:v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-cluster-kube-apiserver-operator:v4.13.0-202310210425.p0.gd525f5d.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-cluster-kube-apiserver-operator:v4.14.0-202310201027.p0.g8b38d12.assembly.stream | * |