Statement and Solution for KubeSphere IDOR Security Vulnerability CVE-2024-46528
Recently, security technicians from a third-party platform discovered a vulnerability of Insecure Direct Object Reference (IDOR) in KubeSphere 3.4.1 and 4.1.1. This vulnerability allows an authenticated attacker with low privileges to access sensitive resources without proper authorization checks. We promptly contacted the other party and helped them solve this problem. For detailed information about the CVE vulnerability and the problem-solving process, please refer to the following links:
Affected Versions
- KubeSphere 4.x: < 4.1.3
- KubeSphere 3.x: >= 3.0.0, <= 3.4.1
- KubeSphere Enterprise 4.x: < 4.1.3
- KubeSphere Enterprise 3.x: >= 3.0.0, <= 3.5.0
Workaround
Remove the non-essential resource authorization of the authenticated
platform role:
kubectl patch globalrole.iam.kubesphere.io authenticated --type merge -p '{"rules": [{"apiGroups":["monitoring.kubesphere.io","metering.kubesphere.io","monitoring.coreos.com"],"resources":["cluster"],"verbs":["list"]},{"apiGroups":["resources.kubesphere.io"],"resources":["clusters"],"verbs":["get","list"]}]}'
This change strengthens the permission constraints on ordinary users. When an ordinary project member opens a page and wants to call these APIs that require privileges, a "forbidden" pop-up box will appear.
Remediation Plan
The risk level of this vulnerability is not high. You can solve this problem through the above workaround. We will fix this issue in the next version KubeSphere 4.1.3, and the expected release time is January 2025.
Security Commitment
KubeSphere is continuously committed to providing enterprise customers with a secure and reliable cloud-native full-stack solution. We value the trust of users in our platform and strive to ensure that our system meets the highest security and performance standards.
At the same time, the KubeSphere community expresses great gratitude to Okan KurtuluÅŸ for the timely discovery of this problem and the active communication with us.
More Information
For more details about CVE-2024-46528 and its solution, you can contact the KubeSphere support team at security@kubesphere.io.