CVE-2024-41820
published 2024-08-05CVE-2024-41820: Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `*` verbs of `*` resources. If a…
PriorityP430medium6CVSS 3.1
AVNACLPRHUINSUCLILAH
EPSS
0.41%
33.1th percentile
Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kubean-io_kubean | >= 0 < 0.18.0 | 0.18.0 |
| kubean-io | kubean | < 0.18.0 | 0.18.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean
osv·2024-08-06
CVE-2024-41820 Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean
Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean
Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean
OSV
Kubean vulnerable to cluster-level privilege escalation
osv·2024-08-05
CVE-2024-41820 [HIGH] Kubean vulnerable to cluster-level privilege escalation
Kubean vulnerable to cluster-level privilege escalation
### Impact
This ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.
### Patches
>=v0.18.0
### References
Reporting by @younaman(Nanzi Yang)
https://github.com/kubean-io/kubean/issues/1326
GHSA
Kubean vulnerable to cluster-level privilege escalation
ghsa·2024-08-05
CVE-2024-41820 [HIGH] CWE-276 Kubean vulnerable to cluster-level privilege escalation
Kubean vulnerable to cluster-level privilege escalation
### Impact
This ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.
### Patches
>=v0.18.0
### References
Reporting by @younaman(Nanzi Yang)
https://github.com/kubean-io/kubean/issues/1326
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-05
Published