Follow-up on Potential Security Issue in Volcano – No Response to Initial Email

[godjhh]

Please describe your problem in detail

Hello. I found a code in Volcano that could indicate a potential security vulnerability. I've reported this issue in an email before, but I haven't received an answer yet, so I'm opening the issue.

Could you please provide an update on the issue I reported to you via email? Thank you.

email: [email protected]

Any other relevant information

No response

[JesseStutler]

Hi @godjhh, I didn't see any security related emails in the maling list. Who did you send it to? Can you take a screenshot of your email?

[godjhh]

Hello @JesseStutler,

I sent the email to "[email protected]"

The email subject includes content that may violate the guidelines mentioned at "https://github.com/volcano-sh/volcano/security", so I'm unable to upload a screenshot publicly here.

Please let me know if I should resend it or if there’s a better way to report this issue.

[Monokaix]

checking by @JesseStutler

[JesseStutler]

@godjhh Thanks for your email, we have received it, will check it later if this role is necessary 👍

[JesseStutler]

/assign

[godjhh]

@JesseStutler Could you tell me about the progress, please?

[JesseStutler]

@JesseStutler Could you tell me about the progress, please?

Will check it in recent days, thanks :)

[JesseStutler]

@godjhh Hi, we have deleted the secrets permission in volcano-agent, thanks for your finding, if you have other security related issue found in volcano, please tell us, thanks :)

[godjhh]

Hello,@JesseStutler

Thank you for your previous response and for promptly removing the secrets permissions from the volcano-agent DaemonSet.

As this issue involved unnecessary access to all Kubernetes Secrets, it could have resulted in a serious privilege escalation if the agent were ever compromised. Given the potential impact, I believe this qualifies as a security vulnerability that should be formally tracked.

Would it be possible for the Volcano team to assign a CVE for this issue in recognition of the finding?

[JesseStutler]

Not very familiar with the disclosure process of CVEs. maybe you would like to help us out? @godjhh

Also /cc @Monokaix https://github.com/volcano-sh/volcano/issues/4299#issuecomment-2995097648

[JesseStutler]

Hello,@JesseStutler

Thank you for your previous response and for promptly removing the secrets permissions from the volcano-agent DaemonSet.

As this issue involved unnecessary access to all Kubernetes Secrets, it could have resulted in a serious privilege escalation if the agent were ever compromised. Given the potential impact, I believe this qualifies as a security vulnerability that should be formally tracked.

Would it be possible for the Volcano team to assign a CVE for this issue in recognition of the finding?

Besides, volcano community is considering forming a security team, would you like to join? @godjhh

[godjhh]

Hello @JesseStutler

Regarding the CVE assignment, it seems the process can be initiated through the following form: https://cveform.mitre.org/

Also, I‘m definitely interested in joining the Volcano security team.

[godjhh]

@JesseStutler Hello Did you submit the cve form?

[JesseStutler]

@JesseStutler Hello Did you submit the cve form?

Currently I have no time to submit it, besides, you may need to discuss with @Monokaix whether it's a CVE.

[godjhh]

Hello @Monokaix In other projects, CVE has already been assigned due to similar issues.

CVE-2023-30512 CVE-2024-45054