x/vulndb: potential Go vuln in github.com/volcano-sh/volcano: GHSA-5g3x-8g2v-r8x8

[GoVulnBot]

Advisory GHSA-5g3x-8g2v-r8x8 references a vulnerability in the following Go modules:

Module
volcano.sh/volcano

Description:
Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

References:

• ADVISORY: GHSA-5g3x-8g2v-r8x8
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-36533
• FIX: volcano-sh/volcano@55963f7
• FIX: Remove list secret in controller ClusterRole volcano-sh/volcano#3449
• REPORT: A potential risk in volcano that could lead to takeover of the cluster volcano-sh/volcano#3446
• WEB: https://gist.github.com/HouqiyuA/a0e05a26ecc80bd970ac4649faecc930

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: volcano.sh/volcano
      versions:
        - fixed: 1.10.0-alpha.0
      vulnerable_at: 1.9.0
summary: Volcano has insecure permissions in volcano.sh/volcano
cves:
    - CVE-2024-36533
ghsas:
    - GHSA-5g3x-8g2v-r8x8
references:
    - advisory: https://github.com/advisories/GHSA-5g3x-8g2v-r8x8
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36533
    - fix: https://github.com/volcano-sh/volcano/commit/55963f71c76cb85cea1cdb9582ea7d58cfbedcf8
    - fix: https://github.com/volcano-sh/volcano/pull/3449
    - report: https://github.com/volcano-sh/volcano/issues/3446
    - web: https://gist.github.com/HouqiyuA/a0e05a26ecc80bd970ac4649faecc930
source:
    id: GHSA-5g3x-8g2v-r8x8
    created: 2024-08-02T17:01:12.878001487Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports