CVE-2024-56514: 
Linux openSUSE vulnerability analysis and mitigation

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability (GitHub Advisory).

The vulnerability exists in both karmadactl and karmada-operator components when processing custom CRDs files. The issue occurs during the initialization process where CRDs can be supplied either through a filesystem path or HTTP(s) URL. The downloaded CRDs are stored as a gzipped tarfile, but the system fails to properly validate the archive contents before extraction, making it vulnerable to Tar Slip attacks. The vulnerability is tracked as CVE-2024-56514 with a CVSS v4.0 score of 5.3 (Medium) (NVD).

An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. This could potentially lead to system compromise through arbitrary file writes (GitHub Advisory).

The vulnerability has been fixed in Karmada version 1.12.0 by implementing CRDs archive verification to enhance file system robustness. For users unable to upgrade immediately, a workaround exists for karmadactl init users: manually inspect CRD files to check for sequences like '../' that would alter file paths. For karmada-operator users, upgrading to a fixed version is required as no workaround is available (GitHub Advisory).