{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T21:08:25.925","vulnerabilities":[{"cve":{"id":"CVE-2024-56513","sourceIdentifier":"security-advisories@github.com","published":"2025-01-03T17:15:08.840","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs."},{"lang":"es","value":"Karmada es un sistema de administración de Kubernetes que permite a los usuarios ejecutar aplicaciones nativas de la nube en varios clústeres y nubes de Kubernetes. Antes de la versión 1.12.0, los clústeres en modo PULL registrados con el comando `karmadactl register` tienen privilegios excesivos para acceder a los recursos del plano de control. Al abusar de estos permisos, un atacante capaz de autenticarse como agente de karmada en un clúster de karmada podría obtener privilegios administrativos sobre todo el sistema de federación, incluidos todos los clústeres miembros registrados. Desde Karmada v1.12.0, el comando `karmadactl register` restringe los permisos de acceso de los clústeres miembros del modo pull a los recursos del plano de control. De esta manera, un atacante capaz de autenticarse como agente de karmada no puede controlar otros clústeres miembros en Karmada. Como workaround, se pueden restringir los permisos de acceso de los clústeres miembros del modo pull a los recursos del plano de control de acuerdo con los documentos de permisos de componentes de Karmada."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-266"}]}],"references":[{"url":"https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831","source":"security-advisories@github.com"},{"url":"https://github.com/karmada-io/karmada/pull/5793","source":"security-advisories@github.com"},{"url":"https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r","source":"security-advisories@github.com"},{"url":"https://karmada.io/docs/administrator/security/component-permission","source":"security-advisories@github.com"}]}}]}