CVE-2023-30617 – github.com/openkruise/kruise

Package

Manager: go
Name: github.com/openkruise/kruise
Vulnerable Version: >=0.8.0 <1.3.1 || >=1.4.0 <1.4.1 || >=1.5.0 <1.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00122 pctl0.32045

Details

Kruise allows leveraging the kruise-daemon pod to list all secrets in the entire cluster ### Impact Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification. ### Workarounds For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege ### Patches For users who're using v0.8.x ~ v1.2.x, please update the v1.3.1 For users who're using v1.3, please update the v1.3.1 For users who're using v1.4, please update the v1.4.1 For users who're using v1.5, please update the v1.5.2 ### References None

Metadata

Created: 2024-01-05T16:01:24Z
Modified: 2024-01-05T16:01:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-437m-7hj5-9mpw/GHSA-437m-7hj5-9mpw.json
CWE IDs: ["CWE-250", "CWE-269"]
Alternative ID: GHSA-437m-7hj5-9mpw
Finding: F159
Auto approve: 1