CVE-2024-56514: Karmada Tar Slips in CRDs archive extraction
What kind of vulnerability is it? Who is impacted?
Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem.
References
- github.com/advisories/GHSA-cwrh-575j-8vr3
- github.com/karmada-io/karmada
- github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50
- github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2
- github.com/karmada-io/karmada/pull/5703
- github.com/karmada-io/karmada/pull/5713
- github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3
- nvd.nist.gov/vuln/detail/CVE-2024-56514
Code Behaviors & Features
Detect and mitigate CVE-2024-56514 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →