| id: GO-2023-1549 |
| modules: |
| - module: github.com/openshift/apiserver-library-go |
| versions: |
| - fixed: 0.0.0-20230119093715-30f75d79e424 |
| vulnerable_at: 0.0.0-20221118165437-6006085c7412 |
| packages: |
| - package: github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp |
| symbols: |
| - strategy.validateProfile |
| derived_symbols: |
| - strategy.ValidateContainer |
| - strategy.ValidatePod |
| summary: Improper input validation in github.com/openshift/apiserver-library-go |
| description: |- |
| Low-privileged users can set the seccomp profile for pods they control to |
| "unconfined." |
| |
| By default, the seccomp profile used in the restricted-v2 Security Context |
| Constraint (SCC) is "runtime/default," allowing users to disable seccomp for |
| pods they can create and modify. |
| cves: |
| - CVE-2023-0229 |
| ghsas: |
| - GHSA-5465-xc2j-6p84 |
| references: |
| - advisory: https://github.com/advisories/GHSA-5465-xc2j-6p84 |
| - fix: https://github.com/openshift/apiserver-library-go/pull/97 |
| - fix: https://github.com/openshift/apiserver-library-go/commit/30f75d79e424ca462c6de53ee8b93f91183763e6 |
