Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
An attacker can obtain a service account token as a result of improperly granted permissions in the kruise application. The obtained token allows authentication as a service account in the Kubernetes cluster. This way, the attacker gains access to resources and data that the compromised account has permissions for, leading to privilege escalation.
An attacker can gain access to sensitive data and perform privilege escalation in the environment, potentially taking control of Kubernetes cluster resources.
Apply patches available from the vendor according to references. It is recommended to update kruise to a version higher than v1.6.2 and verify and restrict service account permissions according to the principle of least privilege.
kruise v1.6.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H