2211468 – (CVE-2023-3027) CVE-2023-3027 ACM: governance policy propagator privilege escalation

Bug 2211468 (CVE-2023-3027) - CVE-2023-3027 ACM: governance policy propagator privilege escalation

Summary: CVE-2023-3027 ACM: governance policy propagator privilege escalation

Keywords:
Status:	NEW
Alias:	CVE-2023-3027
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2211105
TreeView+	depends on / blocked

Reported:	2023-05-31 17:38 UTC by Borja Tarraso
Modified:	2023-07-20 06:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Borja Tarraso 2023-05-31 17:38:43 UTC

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.

Note You need to log in before you can comment on or make changes to this bug.