KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

vendor:

KubeSphere

by:

Okan Kurtulus

6.1

CVSS

HIGH

Insecure Direct Object Reference (IDOR)

862

CWE

Product Name: KubeSphere

Affected Version From: 3.0.0

Affected Version To: 37260

Patch Exists: NO

Related CWE: CVE-2024-46528

CPE: a:kubesphere:kubesphere:3.4.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2024

KubeSphere 3.4.0 – Insecure Direct Object Reference (IDOR)

KubeSphere 3.4.0 allows unauthorized users to access sensitive information, such as cluster and node details, users' information, without being registered to any workspace or cluster. This vulnerability exists in versions [>= 4.0.0 & < 4.1.3] and [>= 3.0.0 & < 3.4.1]. An attacker can exploit this flaw to gain unauthorized access to various endpoints like cluster overview, node details, and project information.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict access to sensitive endpoints based on user roles and permissions. Regular security assessments and access control reviews should be conducted to ensure unauthorized access is prevented.

Source

Exploit-DB raw data:

# Exploit Title: KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)
# Date: 3 September
# Exploit Author: Okan Kurtulus
# Vendor Homepage: https://kubesphere.io
# Software Link: https://github.com/kubesphere/kubesphere
# Version: [>= 4.0.0 & < 4.1.3] , [>= 3.0.0 & < 3.4.1]
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-46528

1-) Log in to the system with a user who is not registered to any workspace (e.g., a "platform-regular" user who has limited authorization).

Note: The authorization level of this user is as follows:
"Cannot access any resources before joining a workspace."

2-) After logging in with this user, it has been observed that cluster information, node information, users registered in the system, and other similar areas can be accessed without the user being registered to any workspace or cluster.

Examples of accessible endpoints:

http://xxx.xxx.xx.xx:30880/clusters/default/overview 
http://xxx.xxx.xx.xx:30880/clusters/default/nodes 
http://xxx.xxx.xx.xx:30880/access/accounts 
http://xxx.xxx.xx.xx:30880/clusters/default/monitor-cluster/ranking 
http://xxx.xxx.xx.xx:3 0880/clusters/default/monitor-cluster/resource 
http://xxx.xxx.xx.xx:30880/clusters/default/projects 
http://xxx.xxx.xx.xx:30880/clusters/default/nodes/minikube/pods 
http://xxx.xxx.xx.xx:30880/clusters/default/kubeConfig