CVE-2024-56513: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2024-56513 affects Karmada, a Kubernetes management system designed for running cloud-native applications across multiple clusters and clouds. The vulnerability was discovered in versions prior to 1.12.0, where PULL mode clusters registered with the karmadactl register command were granted excessive privileges to access control plane resources (Karmada Advisory).

The vulnerability stems from improper privilege assignment in the PULL mode cluster registration process. When clusters are registered using the karmadactl register command, they receive excessive permissions to access control plane resources. The vulnerability has been assigned a CVSSv4 score of 8.7 (HIGH), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (Security Online).

An attacker who can authenticate as the karmada-agent to a Karmada cluster would be able to obtain administrative privileges over the entire federation system, including all registered member clusters. This could lead to unauthorized access to sensitive configuration data, manipulation of application traffic scheduling, and potential lateral attacks across member clusters (Security Online).

The vulnerability has been patched in Karmada version 1.12.0, which restricts the access permissions of pull mode member clusters to control plane resources. For users unable to upgrade immediately, a workaround is available by manually restricting the access permissions of pull mode member clusters to control plane resources according to the Karmada Component Permissions Documentation (Karmada Advisory, Karmada Docs).