5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-56514

GHSA ID

GHSA-cwrh-575j-8vr3

EPSS Score

0.44797%

CWE

CWE-22

Published

1/3/2025

Updated

1/3/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-56514

CVE-2024-56514: Karmada Tar Slips in CRDs archive extraction

Impact

What kind of vulnerability is it? Who is impacted?

Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem.

Patches

Has the problem been patched? What versions should users upgrade to?

From karmada version v1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

When using karmadactl init to set up Karmada, if you need to set flag --crd to customize the CRD files required for karmada initialization, you can manually inspect the CRD files to check whether they contain sequences such as ../ that would alter file paths, to determine if they potentially include malicious files.

When using karmada-operator to set up Karmada, you must upgrade your karmada-operator to one of the fixed versions.

References

Are there any links users can visit to find out more?

Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5713, https://github.com/karmada-io/karmada/pull/5703

(GitHub Advisory)

5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-56514

GHSA ID

GHSA-cwrh-575j-8vr3

EPSS Score

0.44797%

CWE

CWE-22

Published

1/3/2025

Updated

1/3/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/karmada-io/karmada	go	< 1.12.0	1.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure tar extraction in two components:

In karmadactl's prepareCRD function, CRD tarballs were decompressed using utils.DeCompress() without validating file paths, making it susceptible to directory traversal attacks. The patch added validation.ValidateTarball() before extraction.
In karmada-operator's runUnpack function, CRD tarballs were unpacked with util.Unpack() without path validation. The fix introduced validation checks before unpacking. Both functions lacked path sanitization and allowed '../' sequences in tar entries to escape the target directory, leading to arbitrary file writes. The confidence is high as the patches directly address these functions by adding validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ *ot* in k*rm****tl *n* k*rm***-op*r*tor, it is possi*l* to supply * *il*syst*m p*t*, or *n *TTP(s) URL to r*tri*v* t** *ustom r*sour** ***initions(*R*s) n***** *y k*rm***. T** *R*s *r*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* t*r *xtr**tion in two *ompon*nts: *. In k*rm****tl's pr*p*r**R* *un*tion, *R* t*r**lls w*r* ***ompr*ss** usin* utils.***ompr*ss() wit*out v*li**tin* *il* p*t*s, m*kin* it sus**pti*l* to *ir**tory tr*v*rs*l *tt**k

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-56514: Karmada Tar Slips in CRDs archive extraction

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI