logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-56514 github.com/karmada-io/karmada

Package

Manager: go
Name: github.com/karmada-io/karmada
Vulnerable Version: >=0 <1.12.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00284 pctl0.51382

Details

Karmada Tar Slips in CRDs archive extraction ### Impact _What kind of vulnerability is it? Who is impacted?_ Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem. ### Patches _Has the problem been patched? What versions should users upgrade to?_ From karmada version v1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ When using `karmadactl init` to set up Karmada, if you need to set flag `--crd` to customize the CRD files required for karmada initialization, you can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, you must upgrade your karmada-operator to one of the fixed versions. ### References _Are there any links users can visit to find out more?_ 1. Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5713, https://github.com/karmada-io/karmada/pull/5703

Metadata

Created: 2025-01-03T16:15:54Z
Modified: 2025-01-03T19:25:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-cwrh-575j-8vr3/GHSA-cwrh-575j-8vr3.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-cwrh-575j-8vr3
Finding: F063
Auto approve: 1