GHSA-c7xh-gjv4-4jgv: 
vulnerability analysis and mitigation

The vulnerability (GHSA-c7xh-gjv4-4jgv) affects kcp versions 0.26.0 and earlier, discovered and disclosed in December 2024. This security issue involves kcp's impersonation feature, which allows users with certain privileges to override user information. The vulnerability specifically affects kcp installations where users are granted the cluster-admin ClusterRole or similar high-level permissions within their workspaces (GitHub Advisory).

The vulnerability stems from kcp's inheritance of Kubernetes API's impersonation feature. Users with cluster-admin ClusterRole or comparable permissions that grant impersonation access within their workspaces can impersonate special global administrative groups. This ability allows them to circumvent parts of the authorizer chains, including maximal permission policies. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Moderate), with the following metrics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Changed scope, and Low impact on both confidentiality and integrity (GitHub Advisory).

The vulnerability enables users with workspace-level administrative privileges to bypass security boundaries by impersonating global administrative groups. This could lead to unauthorized access and potential circumvention of security controls, particularly affecting maximal permission policies. The impact primarily concerns confidentiality and integrity aspects of the system, though availability is not affected (GitHub Advisory).

Two primary workarounds are available: 1) Not assigning the cluster-admin role or any other role that grants blanket impersonation permissions to users, and 2) Implementing a reverse proxy between users and kcp to check for the Impersonate-Group header and reject requests that impersonate global administrative groups. The vulnerability has been patched in version 0.26.1 and higher (GitHub Advisory).