2.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45054

CVE-2024-45054: Hwameistor Potential Permission Leakage of Cluster Level

Impact

What kind of vulnerability is it? Who is impacted? This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

Patches

Has the problem been patched? What versions should users upgrade to?

= v0.14.6

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Update and Limit the ClusterRole using security-role.

References

Are there any links users can visit to find out more? issues: https://github.com/hwameistor/hwameistor/issues/1457 https://github.com/hwameistor/hwameistor/issues/1460

also reported by users via mails: sparkEchooo, younaman

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45054

CVE-2024-45054:

2.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hwameistor/hwameistor	go	<= 0.14.5	0.14.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from over-permissive RBAC rules in the ClusterRole definition. The original configuration (pre-patch) used:

apiGroups: ['*']
resources: ['*']
verbs: ['*'] This granted full cluster admin privileges to any entity bound to this role. The commit diff shows these wildcard rules were replaced with granular permissions, confirming they were the root cause. While not traditional code functions, Kubernetes RBAC rules function as authorization mechanisms, making them the vulnerable 'functions' in this context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45054: Hwameistor Potential Permission Leakage of Cluster Level

Impact

Patches

Workarounds

References

CVE-2024-45054:

2.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-45054: Hwameistor Potential Permission Leakage of Cluster Level

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

2.3

2.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI