logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-56513 github.com/karmada-io/karmada

Package

Manager: go
Name: github.com/karmada-io/karmada
Vulnerable Version: >=0 <1.12.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00098 pctl0.27909

Details

Karmada PULL Mode Cluster Privilege Escalation ### Impact _What kind of vulnerability is it? Who is impacted?_ The [PULL](https://karmada.io/docs/next/userguide/clustermanager/cluster-registration#pull-mode) mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Restricts the access permissions of pull mode member clusters to control plane resources according to [Karmada Component Permissions Docs](https://karmada.io/docs/administrator/security/component-permission). ### References _Are there any links users can visit to find out more?_ 1. Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5793 2. Karmada Component Permissions: https://karmada.io/docs/administrator/security/component-permission

Metadata

Created: 2025-01-03T16:12:03Z
Modified: 2025-01-03T19:25:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-mg7w-c9x2-xh7r/GHSA-mg7w-c9x2-xh7r.json
CWE IDs: ["CWE-266"]
Alternative ID: GHSA-mg7w-c9x2-xh7r
Finding: F005
Auto approve: 1