GHSA-HG79-FW4P-25P8

Vulnerability from github – Published: 2025-04-30 16:40 – Updated: 2025-05-06 19:12
VLAI?
Summary
Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin
Details

Impact

This issue allows an attacker who has compromised either the Elastic service or the extender plugin to cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory.

Workarounds

No

Severity ?
7.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "volcano.sh/volcano"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "volcano.sh/volcano"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0-alpha.0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "volcano.sh/volcano"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0-network-topology-preview.0"
            },
            {
              "fixed": "1.11.0-network-topology-preview.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "volcano.sh/volcano"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "volcano.sh/volcano"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0-alpha.0"
            },
            {
              "fixed": "1.12.0-alpha.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-30T16:40:03Z",
    "nvd_published_at": "2025-04-30T19:15:55Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThis issue allows an attacker who has compromised either the Elastic service or the extender plugin to cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano\u0027s case if they have compromised either the vulnerable services or the pod/node in which they are deployed.  The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory.\n\n### Workarounds\nNo",
  "id": "GHSA-hg79-fw4p-25p8",
  "modified": "2025-05-06T19:12:07Z",
  "published": "2025-04-30T16:40:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/volcano-sh/volcano"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3656"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.