The vulnerability of the karmada-operator and karmadactl packages from the Kubernetes cluster management system allows a hacker to write arbitrary files to the basic file system, enabling them to run cloud applications on multiple Karmada clusters.

The vulnerability of the karmada-operator and karmadactl packages from the Kubernetes cluster management system, which are used to run cloud applications across multiple Karmada clusters, is related to an incorrect path name limitation for accessing the restricted directory. Exploiting this...

Privilege Escalation

github.com/karmada-io/karmada is vulnerable to Privilege Escalation. The vulnerability is due to pull mode clusters being registered with excessive access to control plane resources via the karmadactl register command, allowing them excessive privileges to control plane resources...

PT-2025-1002 · Karmada +1 · Karmada +1

Name of the Vulnerable Software and Affected Versions: Karmada versions prior to 1.12.0 Description: The issue is related to excessive privileges in PULL mode clusters, allowing an attacker who can authenticate as the karmada-agent to obtain administrative privileges over the entire federation...