CVE-2024-56513

HIGH Year: 2024
Weakness Type
CWE-266
View all →

Vulnerability Description

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.

Related Vulnerabilities

CVE-2019-10940

CRITICAL
CVSS:9.9(Critical)

A vulnerability has been identified in SINEMA Server (All versions < V14.0 SP2 Update 1). Incorrect session validation could allow an attacker with a valid session, with low privileges, to perform fir...

CWE-2662019

CVE-2025-26512

CRITICAL
CVSS:9.9(Critical)

SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter ...

CWE-2662025

CVE-2022-3458

CRITICAL
CVSS:9.8(Critical)

A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.p...

CWE-2662022

CVE-2022-3735

CRITICAL
CVSS:9.8(Critical)

A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access control...

CWE-2662022

CVE-2022-3771

CRITICAL
CVSS:9.8(Critical)

A vulnerability, which was classified as critical, has been found in easyii CMS. This issue affects the function file of the file helpers/Upload.php of the component File Upload Management. The manipu...

CWE-2662022

CVE-2022-4232

CRITICAL
CVSS:9.8(Critical)

A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0. Affected is an unknown function. The manipulation of the argument cmd leads to unrestricte...

CWE-2662022