Karmada Dashboard Authentication Bypass Vulnerability in API Endpoints

An authentication bypass vulnerability has been identified in the Karmada Dashboard API prior to version 0.2.0. The vulnerability allows unauthenticated users to access sensitive cluster information, such as Secrets and Services, through backend API endpoints that did not enforce authentication. While the web UI required a valid JSON Web Token (JWT) for access, the API remained exposed to direct requests without authentication checks. This vulnerability could be exploited by any user or entity with network access to the Karmada Dashboard service.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive cluster information, including Secrets and Services, through the Karmada Dashboard API.

Reproduction

The vulnerability can be reproduced by sending a direct request to the Karmada Dashboard API endpoints, such as '/api/v1/secret' or '/api/v1/service', without including an authorization token. This can be done using tools like curl or Postman, or through a web browser.

Remediation

Users are advised to upgrade to Karmada Dashboard version 0.2.0 or later, which includes the necessary authentication checks for all API endpoints. If an immediate upgrade is not possible, users can restrict network access to the Karmada Dashboard service using Kubernetes Network Policies, firewall rules, or ingress controls, or place the Dashboard behind a reverse proxy that enforces authentication.