Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace
Vulnerability Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Vulnerability Type
授权机制不恰当
Vulnerability Title
kcp 授权问题漏洞
Vulnerability Description
kcp是kcp-dev开源的一个类似 Kubernetes 的控制平面,用于 Kubernetes 和容器。 kcp 0.26.3之前版本存在授权问题漏洞,该漏洞源于APIExport VirtualWorkspace允许在任意目标工作区中创建或删除对象,可能导致未经授权的对象操作。
CVSS Information
N/A
Vulnerability Type
N/A