GHSA-C7XH-GJV4-4JGV

Vulnerability from github – Published: 2024-12-11 18:42 – Updated: 2024-12-12 19:33
VLAI
Summary
kcp's impersonation allows access to global administrative groups
Details

Impact

Impersonation is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation.

The vulnerability in kcp affects kcp installations in which users are granted the cluster-admin ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is impersonate) within their respective workspaces. As kcp builds around self-service confined within workspaces, most installations would likely grant such workspace access to their users. Such users can impersonate special global administrative groups, which circumvent parts of the authorizer chains, e.g. maximal permission policies.

Patches

The problem has been patched in #3206 and is available in kcp 0.26.1 and higher.

Workarounds

  • Not assigning the cluster-admin role (or any other role granting blanket impersonation permissions) to users.
  • A reverse proxy between users and kcp to check for the Impersonate-Group header and reject requests that impersonate global administrative groups.

References

See the pull request (#3206).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.26.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kcp-dev/kcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-11T18:42:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n[Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation.\n\nThe vulnerability in kcp affects kcp installations in which users are granted the `cluster-admin` ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is `impersonate`) within their respective workspaces. As kcp builds around self-service confined within workspaces, most installations would likely grant such workspace access to their users. Such users can impersonate special global administrative groups, which circumvent parts of the authorizer chains, e.g. [maximal permission policies](https://docs.kcp.io/kcp/v0.26/concepts/apis/exporting-apis/#maximal-permission-policy).\n\n### Patches\n\nThe problem has been patched in #3206 and is available in kcp 0.26.1 and higher.\n\n### Workarounds\n\n- Not assigning the `cluster-admin` role (or any other role granting blanket impersonation permissions) to users.\n- A reverse proxy between users and kcp to check for the `Impersonate-Group` header and reject requests that impersonate global administrative groups.\n\n### References\n\nSee the pull request (#3206).\n",
  "id": "GHSA-c7xh-gjv4-4jgv",
  "modified": "2024-12-12T19:33:14Z",
  "published": "2024-12-11T18:42:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-c7xh-gjv4-4jgv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kcp-dev/kcp/pull/3206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kcp-dev/kcp/commit/24ab5d4dc35ddff98a2e5fdc236e1681f03283ec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kcp-dev/kcp"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kcp\u0027s impersonation allows access to global administrative groups"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…