MEDIUM 5.4

GHSA-r427-j2h7-wv3m

Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator

Details

### Impact

When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed.

### Patches

The issue is fixed in Strimzi 1.0.1 and 1.1.0.

### Workarounds

There is no workaround for this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.strimzi:strimzi

Introduced in: 0 Fixed in: 1.0.1

Fix # pom.xml: bump <version>1.0.1</version> for io.strimzi:strimzi

References

https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-r427-j2h7-wv3m [WEB]
https://github.com/strimzi/strimzi-kafka-operator [PACKAGE]