CVE-2023-5408

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Openshift_container_platform	Redhat	4.11 (including)	4.11 (including)
Openshift_container_platform	Redhat	4.12 (including)	4.12 (including)
Openshift_container_platform	Redhat	4.13 (including)	4.13 (including)
Openshift_container_platform	Redhat	4.14 (including)	4.14 (including)
Red Hat OpenShift Container Platform 4.11	RedHat	openshift4/ose-cluster-kube-apiserver-operator:v4.11.0-202311211130.p0.g7021090.assembly.stream	*
Red Hat OpenShift Container Platform 4.12	RedHat	openshift4/ose-cluster-kube-apiserver-operator:v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream	*
Red Hat OpenShift Container Platform 4.13	RedHat	openshift4/ose-cluster-kube-apiserver-operator:v4.13.0-202310210425.p0.gd525f5d.assembly.stream	*
Red Hat OpenShift Container Platform 4.14	RedHat	openshift4/ose-cluster-kube-apiserver-operator:v4.14.0-202310201027.p0.g8b38d12.assembly.stream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-5408
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

References

CVE-2023-5408

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References