CVE-2023-30512

Name of the Vulnerable Software and Affected Versions CubeFS versions 3.2.1 and earlier

Description The issue is related to incorrect permission assignment for a critical resource in CubeFS, a cloud data storage system. This can allow a remote attacker to gain unauthorized access to the device. The vulnerability is associated with Kubernetes cluster-level privilege escalation, which occurs because DaemonSet has the cfs-csi-cluster-role and can list all secrets, including the admin secret.

Recommendations For CubeFS versions 3.2.1 and earlier, consider restricting access to the cfs-csi-cluster-role to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of the DaemonSet to prevent it from listing all secrets, including the admin secret. At the moment, there is no information about a newer version that contains a fix for this vulnerability.