High severityNVD Advisory· Published Apr 14, 2023· Updated Feb 6, 2025
OpenFeature Operator vulnerable to Cluster-level Privilege Escalation
CVE-2023-29018
Description
The OpenFeature Operator allows users to expose feature flags to applications. Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on open-feature-operator-controller-manager to escalate the privileges of any SA in the cluster. The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets. Version 0.2.32 mitigates this issue by restricting the resources the open-feature-operator-controller-manager can modify.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/open-feature/open-feature-operatorGo | < 0.2.32 | 0.2.32 |
Affected products
2- Range: < 0.2.32
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-cwf6-xj49-wp83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29018ghsaADVISORY
- github.com/open-feature/open-feature-operator/releases/tag/v0.2.32ghsax_refsource_MISCWEB
- github.com/open-feature/open-feature-operator/security/advisories/GHSA-cwf6-xj49-wp83ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.