FKIE_CVE-2024-56514

Vulnerability from fkie_nvd - Published: 2025-01-03 17:15 - Updated: 2025-01-03 17:15
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions.
References
security-advisories@github.comhttps://github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50
security-advisories@github.comhttps://github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2
security-advisories@github.comhttps://github.com/karmada-io/karmada/pull/5703
security-advisories@github.comhttps://github.com/karmada-io/karmada/pull/5713
security-advisories@github.comhttps://github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one\u0027s karmada-operator to one of the fixed versions."
    },
    {
      "lang": "es",
      "value": "Karmada es un sistema de administraci\u00f3n de Kubernetes que permite a los usuarios ejecutar aplicaciones nativas de la nube en m\u00faltiples cl\u00fasteres y nubes de Kubernetes. Antes de la versi\u00f3n 1.12.0, tanto en karmadactl como en karmada-operator, es posible proporcionar una ruta del sistema de archivos o una URL HTTP(s) para recuperar las definiciones de recursos personalizadas (CRD) que necesita Karmada. Las CRD se descargan como un archivo tar comprimido y son vulnerables a una vulnerabilidad TarSlip. Un atacante capaz de proporcionar un archivo CRD malicioso en una inicializaci\u00f3n de Karmada podr\u00eda escribir archivos arbitrarios en rutas arbitrarias del sistema de archivos. A partir de la versi\u00f3n 1.12.0 de Karmada, al procesar archivos CRD personalizados, se utiliza la verificaci\u00f3n del archivo CRD para mejorar la solidez del sistema de archivos. Hay una workaround disponible. Alguien que necesite configurar el indicador `--crd` para personalizar los archivos CRD necesarios para la inicializaci\u00f3n de Karmada al usar `karmadactl init` para configurar Karmada puede inspeccionar manualmente los archivos CRD para verificar si contienen secuencias como `../` que alterar\u00edan las rutas de los archivos, para determinar si incluyen potencialmente archivos maliciosos. Al usar karmada-operator para configurar Karmada, uno debe actualizar su karmada-operator a una de las versiones fijas."
    }
  ],
  "id": "CVE-2024-56514",
  "lastModified": "2025-01-03T17:15:09.017",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-03T17:15:09.017",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/karmada-io/karmada/pull/5703"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/karmada-io/karmada/pull/5713"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.