CVE-2023-30617
Kruise allows leveraging the kruise-daemon pod to list all secrets in the entire cluster
Description
### Impact Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification. ### Workarounds For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege ### Patches For users who're using v0.8.x ~ v1.2.x, please update the v1.3.1 For users who're using v1.3, please update the v1.3.1 For users who're using v1.4, please update the v1.4.1 For users who're using v1.5, please update the v1.5.2 ### References None
How to fix CVE-2023-30617
To remediate CVE-2023-30617, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.1 or later
Is CVE-2023-30617 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.8.0, < 1.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |