How severe is CVE-2023-27593?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.5 out of 10.

What type of vulnerability is CVE-2023-27593?

This is classified as CWE-276, which is a common weakness in software security.

CVE-2023-27593 - MEDIUM Severity | CVSS 5.5

Vulnerability Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.

Related Vulnerabilities

CVE-2002-1713

MEDIUM

CVSS:5.5(Medium)

The Standard security setting for Mandrake-Security package (msec) in Mandrake 8.2 installs home directories with world-readable permissions, which could allow local users to read other user's files.

CWE-2762002

CVE-2012-6136

MEDIUM

CVSS:5.5(Medium)

tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes.

CWE-2762012

CVE-2013-1425

MEDIUM

CVSS:5.5(Medium)

ldap-git-backup before 1.0.4 exposes password hashes due to incorrect directory permissions.

CWE-2762013

CVE-2013-4281

MEDIUM

CVSS:5.5(Medium)

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.

CWE-2762013

CVE-2017-6404

MEDIUM

CVSS:5.5(Medium)

An issue was discovered in Veritas NetBackup Before 7.7 and NetBackup Appliance Before 2.7. There are world-writable log files, allowing destruction or spoofing of log data.

CWE-2762017

CVE-2017-7761

MEDIUM

CVSS:5.5(Medium)

The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), pr...

CWE-2762017