CVE-2023-30617

Name of the Vulnerable Software and Affected Versions Kruise versions 0.8.0 through 1.3.0 Kruise versions 1.4.0 through 1.4.0 Kruise versions 1.5.0 through 1.5.1

Description Kruise provides automated management of large-scale applications on Kubernetes. An attacker who has gained root privilege of the node that kruise-daemon runs can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification.

Recommendations For versions 0.8.0 through 1.2.x, update to version 1.3.1. For versions 1.3.0, update to version 1.3.1. For versions 1.4.0, update to version 1.4.1. For versions 1.5.0 and 1.5.1, update to version 1.5.2. As a temporary workaround, for users that do not require imagepulljob functions, modify kruise-daemon-role to drop the cluster level secret get/list privilege.