CVE-2023-5056

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:6219	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-5056	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2239517	Issue Tracking

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:redhat:service_interconnect:1.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

History

29 Dec 2023, 18:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.1
References	~~() https://access.redhat.com/security/cve/CVE-2023-5056 -~~	() https://access.redhat.com/security/cve/CVE-2023-5056 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2023:6219 -~~	() https://access.redhat.com/errata/RHSA-2023:6219 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2239517 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2239517 - Issue Tracking
CWE		CWE-862
CPE		cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:a:redhat:service_interconnect:1.0:::::::*

18 Dec 2023, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-18 14:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-5056

Mitre link : CVE-2023-5056

CVE.ORG link : CVE-2023-5056

JSON object : View

Products Affected

redhat

enterprise_linux
service_interconnect

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-5056", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2023-12-18T14:15:10.133", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6219", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5056", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el operador Skupper, que puede permitir que una determinada configuraci\u00f3n cree una cuenta de servicio que permitir\u00eda a un atacante autenticado en el cl\u00faster adyacente ver las implementaciones en todos los espacios de nombres del cl\u00faster. Este problema permite la visualizaci\u00f3n no autorizada de informaci\u00f3n fuera del \u00e1mbito del usuario."}], "lastModified": "2023-12-29T18:14:30.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:service_interconnect:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12B0CF2B-D1E1-4E20-846E-6F0D873499A9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secalert@redhat.com"}