x/vulndb: potential Go vuln in github.com/rancher/steve: GHSA-j5hq-5jcr-xwx7

[GoVulnBot]

Advisory GHSA-j5hq-5jcr-xwx7 references a vulnerability in the following Go modules:

Module
github.com/rancher/steve

Description:

Impact

A vulnerability has been discovered in Steve API (Kubernetes API Translator) in which users can watch resources they are not allowed to access, when they have at least some generic permissions on the type. For example, a user who can get a single secret in a single namespace can get all secrets in every namespace.

During a watch request for a single ID, the following occurs:

• In the case of a watch request for a single resource, Steve API will return a partition with the requested resource in it. In other cases, it will check the user's access when constructing partitions.
• Whe...

References:

• ADVISORY: GHSA-j5hq-5jcr-xwx7
• ADVISORY: GHSA-j5hq-5jcr-xwx7
• FIX: rancher/steve@2175e09

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/steve
      versions:
        - fixed: 0.0.0-20241029132712-2175e090fe4b
summary: |-
    github.com/rancher/steve's users can issue watch commands for arbitrary
    resources in github.com/rancher/steve
cves:
    - CVE-2024-52280
ghsas:
    - GHSA-j5hq-5jcr-xwx7
references:
    - advisory: https://github.com/advisories/GHSA-j5hq-5jcr-xwx7
    - advisory: https://github.com/rancher/steve/security/advisories/GHSA-j5hq-5jcr-xwx7
    - fix: https://github.com/rancher/steve/commit/2175e090fe4b1e603a54e1cdc5148a2b1c11b4d9
notes:
    - fix: 'github.com/rancher/steve: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-j5hq-5jcr-xwx7
    created: 2024-11-21T15:01:41.126590778Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/630755 mentions this issue: data/reports: add 3 unreviewed reports