Vulnerability Report: GO-2024-3248

CVE-2024-46528, GHSA-p26r-gfgc-c47h
Affects: github.com/kubesphere/kubesphere
Published: Dec 12, 2024

An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks. NOTE: A fix is expected in v4.1.3 in January 2025.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-p26r-gfgc-c47h.

Affected Modules

Path

Go Versions

Custom Versions^*
github.com/kubesphere/kubesphere

all versions, no known fixed

from 3.0.0 before 3.4.1, from 4.0.0 before 4.1.3

^{*Custom versions, which can't be mapped automatically to standard Go module versions, are ignored by govulncheck. (See this note on versions for more details.)}

Aliases

CVE-2024-46528
GHSA-p26r-gfgc-c47h

References

https://github.com/advisories/GHSA-p26r-gfgc-c47h
https://github.com/kubesphere/kubesphere/issues/6227
https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere
https://www.kubesphere.io/news/kubesphere-cve-2024-46528
https://vuln.go.dev/ID/GO-2024-3248.json

Credits

Okan Kurtuluş

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL