Home > Vulnerability Database > CVE-2024-33522

Mend.io Vulnerability Database

CVE-2024-33522

Good to know:

Date: April 29, 2024

In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges.

Language: Go

Severity Score

6.7

Related Resources (10)

Url: https://github.com/projectcalico/calico/issues/7981

Url: https://github.com/projectcalico/calico/pull/8517

Url: https://pkg.go.dev/vuln/GO-2024-2801

Url: https://www.tigera.io/security-bulletins-tta-2024-001/

Url: https://github.com/projectcalico/calico/pull/8447

Url: https://www.tigera.io/security-bulletins-tta-2024-001

Url: https://github.com/advisories/GHSA-6362-gv4m-53ww

Url: https://github.com/projectcalico/calico

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-33522

Url: https://www.mend.io/vulnerability-database/CVE-2024-33522

Severity Score

6.7

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Top Fix

Upgrade Version

Upgrade to version github.com/projectcalico/calico - v3.26.5;github.com/projectcalico/calico - v3.27.3

Learn More

CVSS v3.1

Base Score:	6.7
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-33522

Good to know:

Date: April 29, 2024

Language: Go

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?