CVE-2024-46528: 
vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in KubeSphere 4.x before 4.1.3 and 3.x through 3.4.1, as well as KubeSphere Enterprise 4.x before 4.1.3 and 3.x through 3.5.0. The vulnerability allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks (KubeSphere News, GitHub Issue).

The vulnerability was identified in the platform's role-based access control system. Specifically, users with the 'platform-regular' role, which should not have access to any resources before joining a workspace, were able to access cluster resources, cluster nodes, and registered users in the system without the necessary permissions (Security Report). The vulnerability has been assigned a CVSS v3.1 score of 4.3 (MEDIUM) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows authenticated users with low privileges to access sensitive system resources beyond their intended permissions. While the data accessed cannot be directly exploited to cause significant impact, it represents a security breach in the platform's access control system (KubeSphere News).

A temporary workaround has been provided to remove non-essential resource authorization from the authenticated platform role using a kubectl patch command. The permanent fix will be included in KubeSphere version 4.1.3, expected to be released in January 2025. Users are advised to apply the workaround or upgrade to the latest version when available (KubeSphere News).

The KubeSphere community has acknowledged the vulnerability and expressed gratitude to security researcher Okan Kurtuluş for discovering and reporting the issue. The vendor has committed to maintaining security standards and ensuring system reliability (KubeSphere News).