LiveActive security incident?Get immediate response
CVE Record

CVE-2024-5042: Submariner-operator: rbac permissions can allow for the spread of node compromises

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

MediumCVSS 6.6Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-5042 is an RBAC over-permission issue in Submariner-related components. An attacker who already has high privileges could use those permissions to run a malicious container on a node, steal service account tokens, and expand compromise across nodes or the cluster.

Executive priority

Treat this as a cluster containment risk, not a first-entry vulnerability. Prioritize patching affected OpenShift Data Foundation and Submariner deployments where privileged users, operators, or node workloads are high-value targets.

Technical view

The flaw is classified as CWE-250 and scored CVSS 6.6. Sources describe unnecessary RBAC permissions in submariner-operator that may enable a privileged attacker to deploy a malicious container, access service account tokens, and escalate impact across a Kubernetes/OpenShift cluster.

Likely exposure

Exposure is most likely in environments running affected submariner-operator versions or listed Red Hat OpenShift Data Foundation 4.16/4.20 EL9 packages. Internet exposure is not the main condition; attacker privilege inside the cluster is required.

Exploitation context

The source bundle does not show CISA KEV listing or confirmed active exploitation. Exploitation requires high privileges and high attack complexity, but successful abuse could materially worsen an existing node or cluster compromise.

Researcher notes

Evidence supports an overbroad RBAC condition enabling post-compromise expansion. The bundle does not provide exploit details, public exploitation evidence, or complete fixed-version mapping for all affected entries, so validation should anchor on vendor advisories and local package inventory.

Mitigation direction

  • Apply relevant Red Hat errata updates for affected OpenShift Data Foundation packages.
  • Check vendor guidance for fixed submariner-operator versions before upgrading.
  • Review Submariner/operator RBAC permissions and remove unnecessary privileges where supported.
  • Limit who can create privileged workloads or modify operator service accounts.
  • Monitor for unexpected service account token use and privileged container activity.

Validation and detection

  • Inventory clusters using submariner-operator and affected ODF package names.
  • Compare installed versions with the affected versions in CVE and Red Hat advisories.
  • Review ClusterRole and ClusterRoleBinding assignments for Submariner components.
  • Check audit logs for unexpected privileged workload creation on nodes.
  • Look for unusual service account token use after node-level compromise indicators.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-250: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-5042 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.6 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
2ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.6CVSS 3.1MediumCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N1.34.7redhat

Vulnerability scoring details

Base CVSS 3.1 score

6.6Medium
CVSS 3.1 vector shape for CVE-2024-5042Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineredhat

    Reported to Red Hat.

  2. Source timelineredhat

    Made public.

  3. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Unknown vendorsubmariner-operatorsubmariner-operator, 0, 0.15.0, 0.16.0, 0.17.0, 0.18.0-m0unaffected
Red HatRHODF-4.16-RHEL-9odf4/odf-multicluster-rhel9-operator, v4.16.0-19affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/cephcsi-rhel9, 1774540992affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/cephcsi-rhel9-operator, 1774540668affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/mcg-core-rhel9, 1774541259affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/mcg-rhel9-operator, 1774541345affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/ocs-client-console-rhel9, 1774541880affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/ocs-client-rhel9-operator, 1774541518affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/ocs-metrics-exporter-rhel9, 1774541420affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/ocs-rhel9-operator, 1774541448affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-cli-rhel9, 1774541663affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-cloudnative-pg-rhel9-operator, 1774541469affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-console-rhel9, 1774542075affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-cosi-sidecar-rhel9, 1774541617affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-csi-addons-rhel9-operator, 1774541614affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-csi-addons-sidecar-rhel9, 1774541633affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-external-snapshotter-rhel9-operator, 1774541625affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-external-snapshotter-sidecar-rhel9, 1774541625affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-multicluster-console-rhel9, 1774542179affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-multicluster-rhel9-operator, 1774541779affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-must-gather-rhel9, 1774541857affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odf-rhel9-operator, 1774541919affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/odr-rhel9-operator, 1774541919affected
Red HatRed Hat Openshift Data Foundation 4.2odf4/rook-ceph-rhel9-operator, 1774542101affected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/lighthouse-agent-rhel9affected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/lighthouse-coredns-rhel9affected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/submariner-gateway-rhel9affected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/submariner-globalnet-rhel9affected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/submariner-rhel8-operatoraffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/submariner-route-agent-rhel8affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.