CVE-2023-30622: 
vulnerability analysis and mitigation

Clusternet, a general-purpose system for controlling Kubernetes clusters across different environments, was found to contain a vulnerability (CVE-2023-30622) prior to version 0.15.2. The vulnerability was discovered in April 2023 and affects all versions before 0.15.2. The issue involves a deployment called cluster-hub within the clusternet-system Kubernetes namespace that runs on worker nodes randomly (GitHub Advisory).

The vulnerability stems from a deployment that uses a service account called clusternet-hub, which has a cluster role called clusternet:hub via cluster role binding. This cluster role has * verbs of *.* resources, granting extensive permissions. The CVSS v3.1 base score is 8.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to NVD's assessment, while GitHub rates it as 6.7 MEDIUM (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L) (NVD).

If exploited, this vulnerability allows a malicious user with access to the worker node running clusternet to perform unauthorized actions on critical system resources. The most severe impact is the ability to access ALL secrets in the entire cluster, leading to cluster-level privilege escalation (GitHub Advisory).

The vulnerability has been fixed in version 0.15.2 of Clusternet. Users are advised to upgrade to this version or later. The fix includes tightening RBAC rules to prevent unauthorized access to cluster resources (Release Notes).