Description

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.

INFO

Published Date :

2025-01-03T16:11:51.629Z

Last Modified :

2025-01-03T17:22:04.247Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-56513 vulnerability.

Vendors Products
Karmada-io
  • Karmada
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56513.

URL Resource
https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831 cve-icon cve-icon
https://github.com/karmada-io/karmada/pull/5793 cve-icon cve-icon
https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r cve-icon cve-icon
https://karmada.io/docs/administrator/security/component-permission cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability