Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00MzdtLTdoajUtOW1wd84AA4Ng

Kruise allows leveraging the kruise-daemon pod to list all secrets in the entire cluster

Impact

Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification.

Workarounds

For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege

Patches

For users who're using v0.8.x ~ v1.2.x, please update the v1.3.1
For users who're using v1.3, please update the v1.3.1
For users who're using v1.4, please update the v1.4.1
For users who're using v1.5, please update the v1.5.2

References

None

Permalink: https://github.com/advisories/GHSA-437m-7hj5-9mpw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00MzdtLTdoajUtOW1wd84AA4Ng
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-437m-7hj5-9mpw, CVE-2023-30617
References:

• https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw
• https://nvd.nist.gov/vuln/detail/CVE-2023-30617
• https://github.com/advisories/GHSA-437m-7hj5-9mpw

Repository: https://github.com/openkruise/kruise
Blast Radius: 6.5

Affected Packages