CVE-2023-30840: 
NixOS vulnerability analysis and mitigation

CVE-2023-30840 affects Fluid, an open source Kubernetes-native distributed dataset orchestrator and accelerator, in versions 0.7.0 through 0.8.6. The vulnerability was discovered and disclosed in May 2023, impacting the fluid-csi service account permissions in Kubernetes clusters (GitHub Advisory).

The vulnerability stems from excessive permissions granted to the fluid-csi service account, which runs on Kubernetes nodes via the csi-nodeplugin-fluid node-daemonset. While the service account lacks 'list node' permissions, it can still modify node specifications. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH by NVD with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, though GitHub rates it as MEDIUM with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N (NVD).

If successfully exploited, an attacker who has compromised a node can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This could lead to privilege escalation beyond the compromised node and potentially result in full privileged access to the entire cluster (GitHub Advisory).

The vulnerability has been patched in version 0.8.6. For users unable to upgrade, recommended workarounds include deleting the csi-nodeplugin-fluid daemonset in the fluid-system namespace and avoiding CSI mode for mounting FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended (GitHub Advisory).