Recently, a security technician from a third-party platform discovered an insecure direct object reference (IDOR) vulnerability on KubeSphere open source versions 3.4.1 and 4.1.1, which allows a low-privileged authenticated attacker to access sensitive resources without proper authorization checks. We promptly contacted the other party and helped them to resolve the issue. Detailed information about the CVE vulnerability and how the issue was handled can be found in the following link:
CVE-2024-46528
IDOR Vulnerability in KubeSphere
Scope of impact
- KubeSphere Affected Versions: < 4.1.3
- KubeSphere affected versions: >= 3.0.0, <= 3.4.1
- KubeSphere Enterprise Affected Versions: < 4.1.3
- KubeSphere Enterprise Affected Versions: >= 3.0.0, <= 3.5.0
Avoidance programs
removesauthenticated Non-required resource authorizations for platform roles:
kubectl patch authenticated --type merge -p '{"rules": [{"apiGroups":["","",""],"resources":["cluster"],"verbs":["list"]},{"apiGroups":[""],"resources":["clusters"],"verbs":["get","list"]}]}'
This change strengthens the privilege constraints on ordinary users, and ordinary project members will have a Forbidden popup box when they want to call these privileged APIs on an open page.
Future restoration plans
This is a low risk vulnerability that can be resolved with the above circumvention options, and will be fixed in the next official release of KubeSphere, 4.1.3, which is expected to be released in January 2025.
Commitment to security
KubeSphere continues to be committed to providing secure and reliable cloud-native full-stack solutions for our enterprise customers. We value the trust our users place in our platform and strive to ensure that our systems meet the highest standards of security and performance.
At the same time, the KubeSphere community is interested inOkan Kurtuluş The timely identification of this issue and the positive communication with us is greatly appreciated.
More information
Users seeking more details about CVE-2024-46528 and its solution can contact the KubeSphere support team at [security@].
KubeSphere v4 Call for Papers: We invite you to experience and share your best practices! Those whose submissions are accepted will receive community gifts such as T-shirts and canvas bags, and outstanding authors will have a chance to win CKA coupons. For submissions, please contact our assistant, KK, by searching for "kubesphere" on WeChat.
About KubeSphere
KubeSphere (The company is an open source container platform built on top of Kubernetes, providing full-stack IT automation capabilities and simplifying DevOps workflows for the enterprise.
KubeSphere has been adopted by Aqara Smart Home, BenLife, Orient Communications, Microhome, Neusoft, Huayun, Sina, Sany Heavy Industry, Huaxia Bank, Sichuan Airlines, Sinopharm, Microcrowd Bank, Zijin Insurance, GoWhere.com, Zhongtong, People's Bank of China, Bank of China, PICC Life Insurance, China Taiping Insurance, China Mobile, China Unicom, China Telecom, Tianyi Cloud, KubeSphere provides a developer-friendly wizard-like interface and rich enterprise-class features, including Kubernetes multi-cloud and multi-cluster management, DevOps (CI/CD), application lifecycle management, edge computing, Service Mesh, multi-tenancy, and multi-cluster management. Mesh, multi-tenant management, observability, storage and network management, GPU support, and more to help organizations quickly build a powerful and feature-rich container cloud platform.
✨ GitHub:/kubesphere
💻 Official website (China site):/zh
🙋 Forum:/forum/
👨💻 WeChat group: please search and add group assistant micro signal kubesphere