CVE-2021-3528

HIGH

noobaa-operator <5.7.0 - Privilege Escalation

Title source: llm

Description

A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.

References (1)

[Issue Tracking, Patch, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1955601

Scores

CVSS v3 8.8

EPSS 0.0033

EPSS Percentile 55.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522 CWE-532

Status published

Affected Products (1)

redhat/noobaa-operator < 5.7.0

Timeline

Published May 13, 2021

Tracked Since Feb 18, 2026