Home > Vulnerability Database > CVE-2024-45054

Mend.io Vulnerability Database

CVE-2024-45054

Date: August 28, 2024

Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been patched in version 0.14.6. All users are advised to upgrade. Users unable to upgrade should update and limit the ClusterRole using security-role.

Language: Go

Severity Score

2.8

Related Resources (8)

Url: https://github.com/hwameistor/hwameistor/commit/edf4cebed73cadd230bf97eab65c5311f2858450

Url: https://github.com/hwameistor/hwameistor/issues/1457

Url: https://github.com/hwameistor/hwameistor

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45054

Url: https://github.com/hwameistor/hwameistor/security/advisories/GHSA-mgwr-h7mv-fh29

Url: https://github.com/hwameistor/hwameistor/blob/main/helm/hwameistor/templates/clusterrole.yaml

Url: https://github.com/hwameistor/hwameistor/issues/1460

Url: https://www.mend.io/vulnerability-database/CVE-2024-45054

Severity Score

2.8

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Incorrect Privilege Assignment

CWE-266

CVSS v3.1

Base Score:	2.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45054

Date: August 28, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?