GHSA-c7xh-gjv4-4jgv

Source

https://github.com/advisories/GHSA-c7xh-gjv4-4jgv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-c7xh-gjv4-4jgv/GHSA-c7xh-gjv4-4jgv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c7xh-gjv4-4jgv

Aliases

GO-2024-3325

Published

2024-12-11T18:42:30Z

Modified

2024-12-12T19:33:14Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

kcp's impersonation allows access to global administrative groups

Details

Impact

Impersonation is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation.

The vulnerability in kcp affects kcp installations in which users are granted the cluster-admin ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is impersonate) within their respective workspaces. As kcp builds around self-service confined within workspaces, most installations would likely grant such workspace access to their users. Such users can impersonate special global administrative groups, which circumvent parts of the authorizer chains, e.g. maximal permission policies.

Patches

The problem has been patched in #3206 and is available in kcp 0.26.1 and higher.

Workarounds

Not assigning the cluster-admin role (or any other role granting blanket impersonation permissions) to users.
A reverse proxy between users and kcp to check for the Impersonate-Group header and reject requests that impersonate global administrative groups.

References

See the pull request (#3206).

Database specific

{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-11T18:42:30Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-285"
    ]
}

References

Affected packages

Go / github.com/kcp-dev/kcp

Package

Name: github.com/kcp-dev/kcp; View open source insights on deps.dev
Purl: pkg:golang/github.com/kcp-dev/kcp

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.26.1

Database specific

{
    "last_known_affected_version_range": "<= 0.26.0"
}