Vulnerabilities > CVE-2024-45054 - Unspecified vulnerability in Hwameistor
Attack vector
LOCAL Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.
Vulnerable Configurations
References
- https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29
- https://github.com/hwameistor/hwameistor/issues/1457
- https://github.com/hwameistor/hwameistor/issues/1460
- https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450
- https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml