Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/clusternet/clusternet: CVE-2023-30622 #1735

Closed
GoVulnBot opened this issue Apr 24, 2023 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/clusternet/clusternet: CVE-2023-30622 #1735

GoVulnBot opened this issue Apr 24, 2023 · 4 comments
Assignees
@zpavlinovic
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2023-30622 references github.com/clusternet/clusternet, which may be a Go module.

Description:
Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called cluster-hub inside the clusternet-system Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called clusternet-hub, which has a cluster role called clusternet:hub via cluster role binding. The clusternet:hub cluster role has "*" verbs of "*.*" resources. Thus, if a malicious user can access the worker node which runs the clusternet, they can leverage the service account to do malicious actions to critical system resources. For example, the malicious user can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for this issue.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/clusternet/clusternet
    packages:
      - package: clusternet
description: |
    Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called `cluster-hub` inside the `clusternet-system` Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called `clusternet-hub`, which has a cluster role called `clusternet:hub` via cluster role binding. The `clusternet:hub` cluster role has `"*" verbs of "*.*"` resources. Thus, if a malicious user can access the worker node which runs the clusternet, they can leverage the service account to do malicious actions to critical system resources. For example, the malicious user can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for this issue.
cves:
  - CVE-2023-30622
references:
  - advisory: https://github.com/clusternet/clusternet/security/advisories/GHSA-833c-xh79-p429
  - web: https://github.com/clusternet/clusternet/releases/tag/v0.15.2
@zpavlinovic zpavlinovic self-assigned this Apr 24, 2023
@zpavlinovic zpavlinovic added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Apr 24, 2023
@zpavlinovic
Copy link
Contributor

The project seems to define a binary. The fixes are in the packages that are not imported by anyone. The APIs of the project define just types without methods and functions.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488455 mentions this issue: data/excluded: batch add GO-2023-1735

@neild neild mentioned this issue Jun 15, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (5)
5ea5cbb 
  - data/reports/GO-2023-1700.yaml
  - data/reports/GO-2023-1701.yaml
  - data/reports/GO-2023-1707.yaml
  - data/reports/GO-2023-1708.yaml
  - data/reports/GO-2023-1716.yaml
  - data/reports/GO-2023-1718.yaml
  - data/reports/GO-2023-1719.yaml
  - data/reports/GO-2023-1721.yaml
  - data/reports/GO-2023-1723.yaml
  - data/reports/GO-2023-1730.yaml
  - data/reports/GO-2023-1735.yaml
  - data/reports/GO-2023-1738.yaml
  - data/reports/GO-2023-1747.yaml
  - data/reports/GO-2023-1754.yaml
  - data/reports/GO-2023-1758.yaml
  - data/reports/GO-2023-1761.yaml
  - data/reports/GO-2023-1763.yaml
  - data/reports/GO-2023-1764.yaml
  - data/reports/GO-2023-1768.yaml
  - data/reports/GO-2023-1774.yaml

Updates #1700
Updates #1701
Updates #1707
Updates #1708
Updates #1716
Updates #1718
Updates #1719
Updates #1721
Updates #1723
Updates #1730
Updates #1735
Updates #1738
Updates #1747
Updates #1754
Updates #1758
Updates #1761
Updates #1763
Updates #1764
Updates #1768
Updates #1774

Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot