VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Jul 24, 2024· Updated Apr 15, 2026

CVE-2024-36533

CVE-2024-36533

Description

Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/volcano-sh/volcanoGo
< 1.10.0-alpha.01.10.0-alpha.0
volcano.sh/volcanoGo
< 1.10.0-alpha.01.10.0-alpha.0

Patches

1
55963f71c76c

Merge pull request #3449 from lekaf974/remove-list-secrets-to-controller

https://github.com/volcano-sh/volcanoVolcano BotMay 8, 2024via ghsa
commit
2 files changed · +2 2
  • installer/helm/chart/volcano/templates/controllers.yaml+1 1 modified
    @@ -47,7 +47,7 @@ rules:
     verbs: ["get", "list", "watch", "create", "delete", "update"]
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
+    verbs: ["get", "create", "delete", "update"]
   - apiGroups: ["scheduling.incubator.k8s.io", "scheduling.volcano.sh"]
     resources: ["podgroups", "queues", "queues/status"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
  • installer/volcano-development.yaml+1 1 modified
    @@ -3968,7 +3968,7 @@ rules:
     verbs: ["get", "list", "watch", "create", "delete", "update"]
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
+    verbs: ["get", "create", "delete", "update"]
   - apiGroups: ["scheduling.incubator.k8s.io", "scheduling.volcano.sh"]
     resources: ["podgroups", "queues", "queues/status"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.