logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-c7xh-gjv4-4jgv github.com/kcp-dev/kcp

Package

Manager: go
Name: github.com/kcp-dev/kcp
Vulnerable Version: >=0 <0.26.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

kcp's impersonation allows access to global administrative groups ### Impact [Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation. The vulnerability in kcp affects kcp installations in which users are granted the `cluster-admin` ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is `impersonate`) within their respective workspaces. As kcp builds around self-service confined within workspaces, most installations would likely grant such workspace access to their users. Such users can impersonate special global administrative groups, which circumvent parts of the authorizer chains, e.g. [maximal permission policies](https://docs.kcp.io/kcp/v0.26/concepts/apis/exporting-apis/#maximal-permission-policy). ### Patches The problem has been patched in #3206 and is available in kcp 0.26.1 and higher. ### Workarounds - Not assigning the `cluster-admin` role (or any other role granting blanket impersonation permissions) to users. - A reverse proxy between users and kcp to check for the `Impersonate-Group` header and reject requests that impersonate global administrative groups. ### References See the pull request (#3206).

Metadata

Created: 2024-12-11T18:42:30Z
Modified: 2024-12-12T19:33:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-c7xh-gjv4-4jgv/GHSA-c7xh-gjv4-4jgv.json
CWE IDs: ["CWE-285"]
Alternative ID: N/A
Finding: F039
Auto approve: 1