VDB

CISA-2024-56513

CISA-2024-56513 PUBLISHED CVSS 8.7 HIGH

Reported by GitHub_M · Published January 3, 2025

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.

Risk Scores

CVSS 4.0
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
karmada-iokarmada< 1.12.0
karmada-iokarmada< 1.12.0, < 1.12.0

Timeline

  • Jan 3, 2025 CVE Published
  • Jan 3, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›