Karmada CRD Tar Slip Vulnerability Allowing Arbitrary File Write

A vulnerability exists in Karmada's command-line tool, 'karmadactl', and the 'karmada-operator' component, prior to version 1.12.0. These versions allow users to specify a filesystem path or an HTTP(s) URL to download custom resource definitions (CRDs) as a gzipped tar file. This CRD handling is susceptible to a Tar Slip vulnerability, where an attacker can manipulate the CRD file to write arbitrary files to any location on the filesystem during Karmada initialization. From version 1.12.0 onwards, Karmada includes a verification process for CRD archives to prevent such vulnerabilities. Users can manually inspect CRD files for malicious content before uploading them.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes on the system, potentially overwriting critical files or disrupting system operations.

Reproduction

To reproduce this vulnerability, download a CRD tarball that contains a tar slip payload, such as one including relative paths that could be interpreted as directory traversal sequences. Then, use 'karmadactl init' or 'karmada-operator' to initialize Karmada, specifying the malicious CRD file. The tar slip payload will be executed, writing files to the filesystem as directed by the payload.

Remediation

Users can upgrade to Karmada version 1.12.0 or later, where this vulnerability is patched. If an upgrade is not possible, CRD files can be manually inspected for relative path manipulations before use.