{
  "threat_severity" : "Important",
  "public_date" : "2023-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "OpenShift: modification of node role labels",
    "id" : "2242173",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2242173"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-269",
  "details" : [ "A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.", "A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster." ],
  "statement" : "In order to exploit this flaw, an attacker must already have root access on a workload node.",
  "acknowledgement" : "This issue was discovered by Derek Carr (Red Hat) and Mrunal Patel (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.11",
    "release_date" : "2023-11-29T00:00:00Z",
    "advisory" : "RHSA-2023:7479",
    "cpe" : "cpe:/a:redhat:openshift:4.11::el8",
    "package" : "openshift4/ose-cluster-kube-apiserver-operator:v4.11.0-202311211130.p0.g7021090.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2023-11-16T00:00:00Z",
    "advisory" : "RHSA-2023:6842",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "openshift4/ose-cluster-kube-apiserver-operator:v4.12.0-202311021630.p0.gfe5e2a1.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2023-10-30T00:00:00Z",
    "advisory" : "RHSA-2023:6130",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el8",
    "package" : "openshift4/ose-cluster-kube-apiserver-operator:v4.13.0-202310210425.p0.gd525f5d.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5006",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "openshift4/ose-cluster-kube-apiserver-operator:v4.14.0-202310201027.p0.g8b38d12.assembly.stream"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5408\nhttps://github.com/openshift/kubernetes/pull/1736" ],
  "name" : "CVE-2023-5408",
  "csaw" : false
}