Karmada Tar Slips in CRDs archive extraction

Description

Impact

What kind of vulnerability is it? Who is impacted?

Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem.

Patches

Has the problem been patched? What versions should users upgrade to?

From karmada version v1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

When using karmadactl init to set up Karmada, if you need to set flag --crd to customize the CRD files required for karmada initialization, you can manually inspect the CRD files to check whether they contain sequences such as ../ that would alter file paths, to determine if they potentially include malicious files.

When using karmada-operator to set up Karmada, you must upgrade your karmada-operator to one of the fixed versions.

References

Are there any links users can visit to find out more?

  1. Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5713, https://github.com/karmada-io/karmada/pull/5703

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-01-03 16:15:54 UTC
Updated
2025-01-03 19:25:57 UTC
GitHub reviewed
2025-01-03 16:15:54 UTC
NVD published
2025-01-03

EPSS Score

Score Percentile
0.22% 44.52%

CVSS Scores

Base score Version Severity Vector
5.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • zhzhuang-zju (remediation_developer)
  • RainbowMango (remediation_reviewer)
  • TheZ3ro (remediation_verifier)
  • suidpit (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/karmada-io/karmada < 1.12.0 1.12.0

References

cvelogic Threat Intelligence