SCA: security update for github.com/clusternet/clusternet (GHSA-833c-xh79-p429)

high Tenable Self-Hosted Container Security Plugin ID 412381

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments.
An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege
escalation. The clusternet has a deployment called `cluster-hub` inside the `clusternet-system` Kubernetes
namespace, which runs on worker nodes randomly. The deployment has a service account called `clusternet-
hub`, which has a cluster role called `clusternet:hub` via cluster role binding. The `clusternet:hub`
cluster role has `"*" verbs of "*.*"` resources. Thus, if a malicious user can access the worker node
which runs the clusternet, they can leverage the service account to do malicious actions to critical
system resources. For example, the malicious user can leverage the service account to get ALL secrets in
the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for
this issue. (CVE-2023-30622)

See Also

https://github.com/advisories/GHSA-833c-xh79-p429

Plugin Details

Severity: High

ID: 412381

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-30622

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/21/2023

Vulnerability Publication Date: 4/21/2023

Reference Information

CVE: CVE-2023-30622

cwe: CWE-269