CVE-2024-56513

Name of the Vulnerable Software and Affected Versions: Karmada versions prior to 1.12.0

Description: The issue is related to excessive privileges in PULL mode clusters, allowing an attacker who can authenticate as the karmada-agent to obtain administrative privileges over the entire federation system, including all registered member clusters. This can be exploited by abusing the permissions of the karmadactl register command. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Karmada versions prior to 1.12.0, update to version 1.12.0 or later to restrict the access permissions of pull mode member clusters to control plane resources. As a temporary workaround, restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.