CVE-2023-30617

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Jan 3, 2024
Updated: Jan 11, 2024
CWE ID 250
CWE ID 269

Summary

CVE-2023-30617 affects Kruise, a tool used for managing large-scale applications on Kubernetes. This vulnerability, present in versions 0.8.0 and earlier up to 1.3.0, 1.4.0, and 1.5.1, allows an attacker with root privileges on a node where kruise-daemon runs to list all secrets in the entire cluster. By exploiting this vulnerability, the attacker can obtain the kruise-manager service account token and acquire extra privileges, such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 have addressed this issue. A workaround is available for users not requiring imagepulljob functions, which involves modifying the kruise-daemon-role to drop the cluster-level secret get/list privilege.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share