Zhaoxuan Isaac Jin

Name of the Vulnerable Software and Affected Versions: NVIDIA AIStore versions prior to 2.3.0 Description: The issue is related to a vulnerability in the AIS Operator of NVIDIA AIStore, where a user can gain elevated access to the k8s cluster by using the ServiceAccount attached to the ClusterRole. This could lead to information disclosure. The vulnerability is associated with excessive RBAC privileges, allowing the Service Account to read and list secrets and configmaps, potentially revealing sensitive information. Recommendations: For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the privileges of the ServiceAccount attached to the ClusterRole to minimize the risk of exploitation.