Medium severity6.0NVD Advisory· Published Aug 5, 2024· Updated Apr 15, 2026
CVE-2024-41820
CVE-2024-41820
Description
Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has * verbs of * resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kubean-io/kubeanGo | < 0.18.0 | 0.18.0 |
Patches
2d2793f4dde1b5 files changed · +45 −22
charts/kubean/templates/clusterrole.yaml+7 −21 modified@@ -4,24 +4,10 @@ kind: ClusterRole metadata: name: {{ $name }} rules: - - apiGroups: ['*'] - resources: ['*'] - verbs: ['*'] - - nonResourceURLs: ['*'] - verbs: ['*'] - - apiGroups: ['certificates.k8s.io'] - resourceNames: ['kubernetes.io/*'] - resources: ['signers'] - verbs: ['approve'] - - apiGroups: ['rbac.authorization.k8s.io'] - resources: ['clusterroles'] - verbs: ['*'] - - apiGroups: ['authentication.k8s.io'] - resources: ['*'] - verbs: ['*'] - - apiGroups: ['authorization.k8s.io'] - resources: ['*'] - verbs: ['*'] - - apiGroups: ['admissionregistration.k8s.io'] - resources: ['*'] - verbs: ['*'] \ No newline at end of file + - apiGroups: [ 'kubean.io' ] + resources: [ 'clusteroperations','clusteroperations/status','clusters','clusters/status','localartifactsets','localartifactsets/status','manifests','manifest/status' ] + verbs: [ '*' ] + - apiGroups: [ 'admissionregistration.k8s.io' ] + resources: [ 'validatingwebhookconfigurations' ] + resourceNames: [ 'kubean-admission-webhook' ] + verbs: [ 'get', 'create', 'update' ]
charts/kubean/templates/rolebinding.yaml+14 −0 added@@ -0,0 +1,14 @@ +{{- $name := include "kubean.name" . -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + namespace: {{ include "kubean.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ include "kubean.serviceAccountName" . }} + namespace: {{ include "kubean.namespace" . }}
charts/kubean/templates/role.yaml+23 −0 added@@ -0,0 +1,23 @@ +{{- $name := include "kubean.name" . -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + namespace: {{ include "kubean.namespace" . }} +rules: + - apiGroups: [ '' ] + resources: [ 'pods', 'serviceaccounts' ] + verbs: [ 'list' ] + - apiGroups: [ '' ] + resources: [ 'configmaps','secrets' ] + verbs: [ "get", "create", "update" ] + - apiGroups: [ '' ] + resources: [ 'events' ] + verbs: [ "create" ] + - apiGroups: [ 'batch' ] + resources: [ 'jobs' ] + verbs: [ "get", "create", "update" ] + - apiGroups: [ 'coordination.k8s.io' ] + resources: [ 'leases' ] + resourceNames: [ 'kubean-controller', 'lease-for-kubean-webhook-ca-create' ] + verbs: [ "get", "create", "update", "delete" ]
cmd/kubean-operator/app/app.go+1 −0 modified@@ -78,6 +78,7 @@ func StartManager(ctx context.Context, opt *Options) error { LeaderElectionResourceLock: opt.LeaderElection.ResourceLock, HealthProbeBindAddress: net.JoinHostPort(opt.BindAddress, strconv.Itoa(opt.SecurePort)), LivenessEndpointName: "/healthz", + Namespace: util.GetCurrentNSOrDefault(), }) if err != nil { klog.Errorf("Failed to build controllerManager ,%s", err)
cmd/kubean-operator/app/options.go+0 −1 modified@@ -48,7 +48,6 @@ func (o *Options) AddFlags(flags *pflag.FlagSet) { flags.IntVar(&o.SecurePort, "secure-port", defaultPort, "The secure port on which to serve HTTPS.") flags.BoolVar(&o.LeaderElection.LeaderElect, "leader-elect", true, "Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability.") - flags.StringVar(&o.LeaderElection.ResourceNamespace, "leader-elect-resource-namespace", "default", "The namespace of resource object that is used for locking during leader election.") flags.Float32Var(&o.KubeAPIQPS, "kube-api-qps", 100.0, "QPS to use while talking with kubean-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.") flags.IntVar(&o.KubeAPIBurst, "kube-api-burst", 100, "Burst to use while talking with kubean-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.") }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3wfj-3x8q-hrpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41820ghsaADVISORY
- github.com/kubean-io/kubean/commit/167e97329e4a27ba2f456d2846d39af20e1af7efnvdWEB
- github.com/kubean-io/kubean/issues/1326nvdWEB
- github.com/kubean-io/kubean/security/advisories/GHSA-3wfj-3x8q-hrpgnvdWEB
- pkg.go.dev/vuln/GO-2024-3039ghsaWEB
News mentions
0No linked articles in our index yet.