CVE-2024-56514

EPSS 0.30%

Karmada Tar Slips in CRDs archive extraction

發布日:2025/1/3修改日:2025/1/7
也稱為:GHSA-cwrh-575j-8vr3GO-2025-3363

描述

### Impact _What kind of vulnerability is it? Who is impacted?_ Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem. ### Patches _Has the problem been patched? What versions should users upgrade to?_ From karmada version v1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ When using `karmadactl init` to set up Karmada, if you need to set flag `--crd` to customize the CRD files required for karmada initialization, you can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, you must upgrade your karmada-operator to one of the fixed versions. ### References _Are there any links users can visit to find out more?_ 1. Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5713, https://github.com/karmada-io/karmada/pull/5703

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

參考連結(7)