Required CVE Record Information
Description
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.
CVSS 1 Total
| Score | Severity | Version | Vector String |
|---|---|---|---|
| 8.7 | HIGH | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References 4 Total
- github.com: https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r
- github.com: https://github.com/karmada-io/karmada/pull/5793
- github.com: https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831
- karmada.io: https://karmada.io/docs/administrator/security/component-permission