Search criteria
2 vulnerabilities by openkruise
CVE-2026-24005 (GCVE-0-2026-24005)
Vulnerability from cvelistv5 – Published: 2026-02-25 18:53 – Updated: 2026-02-26 20:44
VLAI?
Title
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field
Summary
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openkruise | kruise |
Affected:
>= 1.8.0, < 1.8.3
Affected: < 1.7.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24005",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T20:43:44.591768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T20:44:09.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kruise",
"vendor": "openkruise",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.8.3"
},
{
"status": "affected",
"version": "\u003c 1.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:53:30.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openkruise/kruise/security/advisories/GHSA-9fj4-3849-rv9g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openkruise/kruise/security/advisories/GHSA-9fj4-3849-rv9g"
},
{
"name": "https://github.com/openkruise/kruise/commit/94364b76adf3e8a1749a31afe809a163bed29613",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openkruise/kruise/commit/94364b76adf3e8a1749a31afe809a163bed29613"
},
{
"name": "https://github.com/openkruise/kruise/releases/tag/v1.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openkruise/kruise/releases/tag/v1.7.5"
},
{
"name": "https://github.com/openkruise/kruise/releases/tag/v1.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openkruise/kruise/releases/tag/v1.8.3"
}
],
"source": {
"advisory": "GHSA-9fj4-3849-rv9g",
"discovery": "UNKNOWN"
},
"title": "OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24005",
"datePublished": "2026-02-25T18:53:30.170Z",
"dateReserved": "2026-01-19T18:49:20.659Z",
"dateUpdated": "2026-02-26T20:44:09.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30617 (GCVE-0-2023-30617)
Vulnerability from cvelistv5 – Published: 2024-01-03 15:29 – Updated: 2025-06-16 18:10
VLAI?
Title
Leverage the kruise-daemon pod to list all secrets in the entire cluster
Summary
Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openkruise | kruise |
Affected:
>= 0.8.0, < 1.3.1
Affected: = 1.4.0 Affected: >= 1.5.0, < 1.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:52.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T18:09:53.999685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:10:14.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kruise",
"vendor": "openkruise",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.0, \u003c 1.3.1"
},
{
"status": "affected",
"version": "= 1.4.0"
},
{
"status": "affected",
"version": "\u003e= 1.5.0, \u003c 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the \"captured\" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-03T15:29:17.552Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"
}
],
"source": {
"advisory": "GHSA-437m-7hj5-9mpw",
"discovery": "UNKNOWN"
},
"title": "Leverage the kruise-daemon pod to list all secrets in the entire cluster"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30617",
"datePublished": "2024-01-03T15:29:17.552Z",
"dateReserved": "2023-04-13T13:25:18.832Z",
"dateUpdated": "2025-06-16T18:10:14.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}