Miggo Logo
Miggo Vulnerability Database
CVE-2023-30512

CVE-2023-30512: CubeFS allows Kubernetes cluster-level privilege escalation

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-30512
GHSA ID
GHSA-9337-8c6c-c2xg
EPSS Score
0.19898%
CWE
CWE-732
Published
4/12/2023
Updated
5/15/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/cubefs/cubefsgo<= 3.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Kubernetes RBAC configuration rather than specific code functions. The cluster role 'cfs-csi-cluster-role' associated with the DaemonSet grants excessive permissions (secrets/list) at the cluster level. This misconfiguration in Kubernetes manifests (YAML files) allows privilege escalation, but no specific Go functions in the CubeFS codebase are directly implicated. The vulnerability is infrastructure/configuration-related rather than stemming from flawed application logic in code functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u***S t*rou** *.*.* *llows Ku**rn*t*s *lust*r-l*v*l privil*** *s**l*tion. T*is o**urs ****us* ***monS*t **s **s-*si-*lust*r-rol* *n* **n t*us list *ll s**r*ts, in*lu*in* t** **min s**r*t.

Reasoning

T** vuln*r**ility st*ms *rom Ku**rn*t*s R*** *on*i*ur*tion r*t**r t**n sp**i*i* *o** *un*tions. T** *lust*r rol* '**s-*si-*lust*r-rol*' *sso*i*t** wit* t** ***monS*t *r*nts *x**ssiv* p*rmissions (s**r*ts/list) *t t** *lust*r l*v*l. T*is mis*on*i*ur*t