CVE-2024-56514

Name of the Vulnerable Software and Affected Versions Karmada versions prior to 1.12.0

Description Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. The system is vulnerable to a TarSlip vulnerability, which allows an attacker to write arbitrary files in arbitrary paths of the filesystem by supplying a malicious custom resource definition (CRD) file during Karmada initialization. This can be done by providing a filesystem path or an HTTP(s) URL to retrieve the CRDs needed by Karmada. The CRDs are downloaded as a gzipped tarfile, and an attacker can exploit this vulnerability to alter file paths. From Karmada version 1.12.0, CRDs archive verification is utilized to enhance file system robustness.

Recommendations For versions prior to 1.12.0, when using karmadactl init to set up Karmada, manually inspect the CRD files to check for sequences such as ../ that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, upgrade the karmada-operator to one of the fixed versions, which is version 1.12.0 or later.