Vulnerability Description
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.
Related Weaknesses (CWE)
References
- https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df
- https://github.com/karmada-io/karmada/pull/5793
- https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r
- https://karmada.io/docs/administrator/security/component-permission
FAQ
What is CVE-2024-56513?
CVE-2024-56513 is a documented vulnerability. Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered ...
How severe is CVE-2024-56513?
CVSS scoring is not yet available for CVE-2024-56513. Check NVD for updates.
Is there a patch for CVE-2024-56513?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.