CVE-2024-45054 (GCVE-0-2024-45054)

Vulnerability from cvelistv5 – Published: 2024-08-28 19:50 – Updated: 2024-08-28 20:09
VLAI?
Title
Potential Permission Leakage of Cluster Level in hwameistor
Summary
Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.
Severity ?
2.8 (Low)
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
hwameistor hwameistor Affected: < 0.14.6
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45054",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T20:09:15.367119Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T20:09:27.302Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hwameistor",
          "vendor": "hwameistor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor\u0027s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-28T19:50:22.959Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29"
        },
        {
          "name": "https://github.com/hwameistor/hwameistor/issues/1457",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hwameistor/hwameistor/issues/1457"
        },
        {
          "name": "https://github.com/hwameistor/hwameistor/issues/1460",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hwameistor/hwameistor/issues/1460"
        },
        {
          "name": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450"
        },
        {
          "name": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml"
        }
      ],
      "source": {
        "advisory": "GHSA-mgwr-h7mv-fh29",
        "discovery": "UNKNOWN"
      },
      "title": "Potential Permission Leakage of Cluster Level in hwameistor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45054",
    "datePublished": "2024-08-28T19:50:22.959Z",
    "dateReserved": "2024-08-21T17:53:51.332Z",
    "dateUpdated": "2024-08-28T20:09:27.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-45054",
      "date": "2026-04-25",
      "epss": "0.00078",
      "percentile": "0.23124"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hwameistor:hwameistor:*:*:*:*:*:go:*:*\", \"versionEndExcluding\": \"0.14.6\", \"matchCriteriaId\": \"789E23CD-2922-45F8-BD3A-AD17E16D06CA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor\u0027s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.\"}, {\"lang\": \"es\", \"value\": \"Hwameistor es un sistema de almacenamiento local de alta disponibilidad para cargas de trabajo nativas de la nube con estado. Este ClusterRole tiene * verbos de * recursos. Si un usuario malintencionado puede acceder al nodo de trabajo que tiene la implementaci\\u00f3n de hwameistor, puede abusar de estos permisos excesivos para hacer lo que quiera con todo el cl\\u00faster, lo que da como resultado una escalada de privilegios a nivel de cl\\u00faster. Este problema se ha corregido en la versi\\u00f3n 0.14.6. Se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben actualizar y limitar el ClusterRole mediante security-role.\"}]",
      "id": "CVE-2024-45054",
      "lastModified": "2024-09-12T17:50:11.233",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N\", \"baseScore\": 2.8, \"baseSeverity\": \"LOW\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}]}",
      "published": "2024-08-28T20:15:08.547",
      "references": "[{\"url\": \"https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/issues/1457\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/issues/1460\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45054\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-28T20:15:08.547\",\"lastModified\":\"2024-09-12T17:50:11.233\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor\u0027s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.\"},{\"lang\":\"es\",\"value\":\"Hwameistor es un sistema de almacenamiento local de alta disponibilidad para cargas de trabajo nativas de la nube con estado. Este ClusterRole tiene * verbos de * recursos. Si un usuario malintencionado puede acceder al nodo de trabajo que tiene la implementaci\u00f3n de hwameistor, puede abusar de estos permisos excesivos para hacer lo que quiera con todo el cl\u00faster, lo que da como resultado una escalada de privilegios a nivel de cl\u00faster. Este problema se ha corregido en la versi\u00f3n 0.14.6. Se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben actualizar y limitar el ClusterRole mediante security-role.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":2.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hwameistor:hwameistor:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.14.6\",\"matchCriteriaId\":\"789E23CD-2922-45F8-BD3A-AD17E16D06CA\"}]}]}],\"references\":[{\"url\":\"https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/hwameistor/hwameistor/issues/1457\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/hwameistor/hwameistor/issues/1460\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45054\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-28T20:09:15.367119Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-28T20:09:19.092Z\"}}], \"cna\": {\"title\": \"Potential Permission Leakage of Cluster Level in hwameistor\", \"source\": {\"advisory\": \"GHSA-mgwr-h7mv-fh29\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 2.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"hwameistor\", \"product\": \"hwameistor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.6\"}]}], \"references\": [{\"url\": \"https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29\", \"name\": \"https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/issues/1457\", \"name\": \"https://github.com/hwameistor/hwameistor/issues/1457\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/issues/1460\", \"name\": \"https://github.com/hwameistor/hwameistor/issues/1460\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450\", \"name\": \"https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml\", \"name\": \"https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor\u0027s deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-28T19:50:22.959Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45054\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-28T20:09:27.302Z\", \"dateReserved\": \"2024-08-21T17:53:51.332Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-28T19:50:22.959Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.