GHSA-rf84-wr5g-m3rp: CAPM3 vulnerable to Cross-Namespace resource access
CAPM3 is Metal3’s Cluster API (CAPI) provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim resources belonging to other namespaces.
References
- github.com/advisories/GHSA-rf84-wr5g-m3rp
- github.com/metal3-io/cluster-api-provider-metal3/pull/3288
- github.com/metal3-io/cluster-api-provider-metal3/pull/3294
- github.com/metal3-io/cluster-api-provider-metal3/pull/3317
- github.com/metal3-io/cluster-api-provider-metal3/pull/3319
- github.com/metal3-io/cluster-api-provider-metal3/pull/3322
- github.com/metal3-io/cluster-api-provider-metal3/pull/3323
- github.com/metal3-io/cluster-api-provider-metal3/pull/3325
- github.com/metal3-io/cluster-api-provider-metal3/pull/3327
- github.com/metal3-io/cluster-api-provider-metal3/pull/3343
- github.com/metal3-io/cluster-api-provider-metal3/pull/3344
- github.com/metal3-io/cluster-api-provider-metal3/security/advisories/GHSA-rf84-wr5g-m3rp
Code Behaviors & Features
Detect and mitigate GHSA-rf84-wr5g-m3rp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →