From this webpage screenshot, we can extract the following key information about the vulnerability: 1. Vulnerability Description: - Vulnerability Name: [Bug] DaemonSet hwameistor-local-disk-manager has too much RBAC permission which may lead to the whole cluster being hijacked #1457 - Description: The hwameistor-local-disk-manager DaemonSet has excessive RBAC permissions, which may result in the entire cluster being hijacked. 2. Permission Issue: - hwameistor-local-disk-manager uses a shared service account instead of creating a dedicated service account, leading to excessive privileges: - (ClusterRole) to create/update/delete resources - (ClusterRole) to get/list resources - (ClusterRole) to update/patch resources 3. Potential Risks: - These unnecessary permissions could allow malicious users to create privileged containers and even gain control over all nodes in the cluster. - Malicious users could retrieve and list all secrets in the cluster, including database passwords, external cloud server tokens, etc. ron. - Malicious users could modify node labels, thereby controlling malicious containers. 4. Mitigation Recommendations: - Create a dedicated service account and remove all unnecessary permissions. - Identify all required resource names for the application and specify them in role rules. - Use Kyverno or OPA/Gatekeeper policies to restrict container images, entry points, and commands for newly created Pods, and disable and . 5. Reference Links: - Several CVEs have been assigned to similar issues in other projects. 6. Status: - The issue has been closed. This information indicates that the vulnerability involves improper RBAC permission configuration, potentially leading to severe security risks, including cluster hijacking and exposure of sensitive information.