CVE-2024-32359

MEDIUM LAB

Carina <0.13.0 - RCE

Title source: llm

Description

An RBAC authorization risk in Carina v0.13.0 and earlier allows local attackers to execute arbitrary code through designed commands to obtain the secrets of the entire cluster and further take over the cluster.

References (4)

Core 4

Core References

Various Sources

https://gist.github.com/HouqiyuA/568d9857dab4ddba6b8b6a791e90f906

Various Sources

https://github.com/carina-io/carina

View Writeup ZIP pw:eip

Various Sources

http://carina.com

Various Sources

https://github.com/HouqiyuA/k8s-rbac-poc

View Exploit ZIP pw:eip

Scores

CVSS v3 6.9

EPSS 0.0005

EPSS Percentile 16.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull registry.cn-hangzhou.aliyuncs.com/carina/centos-lvm2:runtime-20220108

https://github.com/carina-io/carina

https://github.com/HouqiyuA/k8s-rbac-poc

View in Library

Details

CWE

CWE-285

Status published

Published May 02, 2024

Tracked Since Feb 18, 2026