Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vCluster Platform's Access Keys Allows Access Beyond Scope
Vulnerability Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
授权机制不正确
Vulnerability Title
vCluster Platform 安全漏洞
Vulnerability Description
vCluster Platform是vCluster开源的一个虚拟集群管理器。 vCluster Platform 4.6.0之前版本、4.5.4之前版本、4.4.2之前版本和4.3.10之前版本存在安全漏洞,该漏洞源于范围限制可被绕过,可能导致访问范围外资源。
CVSS Information
N/A
Vulnerability Type
N/A