| id: GO-2024-3248 |
| modules: |
| - module: github.com/kubesphere/kubesphere |
| non_go_versions: |
| - introduced: 3.0.0 |
| - fixed: 3.4.1 |
| - introduced: 4.0.0 |
| - fixed: 4.1.3 |
| vulnerable_at: 0.0.0-20241205064546-af14da361bb2 |
| summary: KubeSphere IDOR vulnerability in github.com/kubesphere/kubesphere |
| description: | |
| An Insecure Direct Object Reference (IDOR) vulnerability in |
| KubeSphere allows low-privileged authenticated attackers to access |
| sensitive resources without proper authorization checks. |
| |
| NOTE: A fix is expected in v4.1.3 in January 2025. |
| cves: |
| - CVE-2024-46528 |
| ghsas: |
| - GHSA-p26r-gfgc-c47h |
| credits: |
| - Okan Kurtuluş |
| references: |
| - advisory: https://github.com/advisories/GHSA-p26r-gfgc-c47h |
| - report: https://github.com/kubesphere/kubesphere/issues/6227 |
| - web: https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere |
| - web: https://www.kubesphere.io/news/kubesphere-cve-2024-46528 |
| notes: |
| - todo: Update once fix is released. |
| source: |
| id: GHSA-p26r-gfgc-c47h |
| created: 2024-12-11T15:00:53.811391-05:00 |
| review_status: REVIEWED |
