Shiro-Bako

Name of the Vulnerable Software and Affected Versions: Karmada versions prior to 1.12.0 Description: The issue is related to excessive privileges in PULL mode clusters, allowing an attacker who can authenticate as the karmada-agent to obtain administrative privileges over the entire federation system, including all registered member clusters. This can be exploited by abusing the permissions of the `karmadactl register` command. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For Karmada versions prior to 1.12.0, update to version 1.12.0 or later to restrict the access permissions of pull mode member clusters to control plane resources. As a temporary workaround, restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.