CVE-2024-56513: Karmada PULL Mode Cluster Privilege Escalation
What kind of vulnerability is it? Who is impacted?
The PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters.
References
- github.com/advisories/GHSA-mg7w-c9x2-xh7r
- github.com/karmada-io/karmada
- github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831
- github.com/karmada-io/karmada/pull/5793
- github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r
- karmada.io/docs/administrator/security/component-permission
- nvd.nist.gov/vuln/detail/CVE-2024-56513
Code Behaviors & Features
Detect and mitigate CVE-2024-56513 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →