CVE-2023-30617 - Vulnerability Details - OpenCVE

Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Openkruise	Kruise

Configuration 1 [-]

OR	cpe:2.3:a:openkruise:kruise::::::::
	cpe:2.3:a:openkruise:kruise::::::::
	cpe:2.3:a:openkruise:kruise::::::::

No data.

References

Link	Providers
https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw

History

Mon, 16 Jun 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-03T15:29:17.552Z

Updated: 2025-06-16T18:10:14.525Z

Reserved: 2023-04-13T13:25:18.832Z

Link: CVE-2023-30617

Vulnrichment

Updated: 2024-08-02T14:28:52.019Z

NVD

Status : Modified

Published: 2024-01-03T16:15:08.117

Modified: 2024-11-21T08:00:31.090

Link: CVE-2023-30617

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30617", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-13T13:25:18.832Z", "datePublished": "2024-01-03T15:29:17.552Z", "dateUpdated": "2025-06-16T18:10:14.525Z"}, "containers": {"cna": {"title": "Leverage the kruise-daemon pod to list all secrets in the entire cluster", "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "lang": "en", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"}], "affected": [{"vendor": "openkruise", "product": "kruise", "versions": [{"version": ">= 0.8.0, < 1.3.1", "status": "affected"}, {"version": "= 1.4.0", "status": "affected"}, {"version": ">= 1.5.0, < 1.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T15:29:17.552Z"}, "descriptions": [{"lang": "en", "value": "Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the \"captured\" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege."}], "source": {"advisory": "GHSA-437m-7hj5-9mpw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:28:52.019Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T18:09:53.999685Z", "id": "CVE-2023-30617", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:10:14.525Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:28:52.019Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-30617", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-16T18:09:53.999685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:10:01.230Z"}}], "cna": {"title": "Leverage the kruise-daemon pod to list all secrets in the entire cluster", "source": {"advisory": "GHSA-437m-7hj5-9mpw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openkruise", "product": "kruise", "versions": [{"status": "affected", "version": ">= 0.8.0, < 1.3.1"}, {"status": "affected", "version": "= 1.4.0"}, {"status": "affected", "version": ">= 1.5.0, < 1.5.2"}]}], "references": [{"url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "name": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the \"captured\" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T15:29:17.552Z"}}}, "cveMetadata": {"cveId": "CVE-2023-30617", "state": "PUBLISHED", "dateUpdated": "2025-06-16T18:10:14.525Z", "dateReserved": "2023-04-13T13:25:18.832Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-03T15:29:17.552Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openkruise:kruise:*:*:*:*:*:*:*:*", "matchCriteriaId": "57BCE0E8-737C-4F60-A649-9A7AF93B3083", "versionEndExcluding": "1.3.1", "versionStartIncluding": "0.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openkruise:kruise:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B827C8D-19E3-4492-9553-12562C329AF4", "versionEndExcluding": "1.4.1", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openkruise:kruise:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC512B85-26B5-44E2-9CE3-1135652ECBEA", "versionEndExcluding": "1.5.2", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the \"captured\" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege."}, {"lang": "es", "value": "Kruise proporciona gesti\u00f3n automatizada de aplicaciones a gran escala en Kubernetes. A partir de la versi\u00f3n 0.8.0 y antes de las versiones 1.3.1, 1.4.1 y 1.5.2, un atacante que haya obtenido privilegios de root en el nodo que ejecuta kruise-daemon puede aprovechar el pod kruise-daemon para enumerar todos los secretos en todo el cl\u00faster. Despu\u00e9s de eso, el atacante puede aprovechar los secretos \"capturados\" (por ejemplo, el token de la cuenta de servicio kruise-manager) para obtener privilegios adicionales, como la modificaci\u00f3n del pod. Las versiones 1.3.1, 1.4.1 y 1.5.2 solucionan este problema. Hay un workaround disponible. Para los usuarios que no requieren funciones de imagepulljob, pueden modificar kruise-daemon-role para eliminar el privilegio de obtenci\u00f3n/lista de secretos a nivel de cl\u00faster."}], "id": "CVE-2023-30617", "lastModified": "2024-11-21T08:00:31.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-03T16:15:08.117", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-437m-7hj5-9mpw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}