x/vulndb: potential Go vuln in github.com/piraeusdatastore/piraeus-operator: CVE-2024-33398

[GoVulnBot]

CVE-2024-33398 references github.com/piraeusdatastore/piraeus-operator, which may be a Go module.

Description:
There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-33398
• JSON: https://github.com/CVEProject/cvelist/tree/621d4bcc8bc8606d385ee89f52673a15a8ac36ce/2024/33xxx/CVE-2024-33398.json
• web: https://github.com/HouqiyuA/k8s-rbac-poc
• web: https://github.com/piraeusdatastore/piraeus-operator
• web: https://piraeus.io/
• web: https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb
• Imported by: https://pkg.go.dev/github.com/piraeusdatastore/piraeus-operator?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/piraeusdatastore/piraeus-operator
      vulnerable_at: 1.10.9
      packages:
        - package: n/a
summary: CVE-2024-33398 in github.com/piraeusdatastore/piraeus-operator
cves:
    - CVE-2024-33398
references:
    - web: https://github.com/HouqiyuA/k8s-rbac-poc
    - web: https://github.com/piraeusdatastore/piraeus-operator
    - web: https://piraeus.io/
    - web: https://gist.github.com/HouqiyuA/d0c11fae5ba4789946ae33175d0f9edb
source:
    id: CVE-2024-33398

[gopherbot]

Change https://go.dev/cl/590277 mentions this issue: data/reports: add 26 unreviewed reports