GHSA-437M-7HJ5-9MPW

Vulnerability from github – Published: 2024-01-05 16:01 – Updated: 2024-01-05 16:01
VLAI?
Summary
Kruise allows leveraging the kruise-daemon pod to list all secrets in the entire cluster
Details

Impact

Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification.

Workarounds

For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege

Patches

For users who're using v0.8.x ~ v1.2.x, please update the v1.3.1 For users who're using v1.3, please update the v1.3.1 For users who're using v1.4, please update the v1.4.1 For users who're using v1.5, please update the v1.5.2

References

None

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openkruise/kruise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openkruise/kruise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openkruise/kruise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-05T16:01:24Z",
    "nvd_published_at": "2024-01-03T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAttacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the \"captured\" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification. \n\n### Workarounds\nFor users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege \n\n### Patches\n\nFor users who\u0027re using v0.8.x ~ v1.2.x, please update the v1.3.1\nFor users who\u0027re using v1.3, please update the v1.3.1\nFor users who\u0027re using v1.4, please update the v1.4.1\nFor users who\u0027re using v1.5, please update the v1.5.2\n### References\nNone",
  "id": "GHSA-437m-7hj5-9mpw",
  "modified": "2024-01-05T16:01:24Z",
  "published": "2024-01-05T16:01:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30617"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openkruise/kruise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kruise allows leveraging the kruise-daemon pod to list all secrets in the entire cluster"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.