6.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5042

CVE-2024-5042: Submariner Operator sets unnecessary RBAC permissions

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-5042

CVE-2024-5042:

6.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/submariner-io/submariner-operator	go	>= 0.16.0-m0, < 0.16.4	0.16.4
github.com/submariner-io/submariner-operator	go	>= 0.17.0-m0, < 0.17.2	0.17.2
github.com/submariner-io/submariner-operator	go	< 0.15.4	0.15.4
github.com/submariner-io/submariner-operator	go	>= 0.18.0-m0, < 0.18.0-rc0	0.18.0-rc0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from overprivileged RBAC configurations. Key indicators are: 1) The commit diff shows added resourceNames restrictions in cluster_role.yaml and role.yaml, indicating previous wildcard delete permissions. 2) The migration_test.go changes verify cleanup of specific resources, confirming the previous broad-scope deletion capability. 3) The np_syncer_resources.go modifications demonstrate the code was previously deleting resources without name constraints. The combination of permissive RBAC rules and deletion logic without resource name restrictions created the vulnerability surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-5042: Submariner Operator sets unnecessary RBAC permissions

CVE-2024-5042:

6.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.6

6.6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-5042: Submariner Operator sets unnecessary RBAC permissions

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI