Kgateway Missing Authentication Vulnerability in xDS Interface
Vulnerability
A vulnerability exists in Kgateway versions 2.0.4 and earlier, as well as in 2.1.0-agw-cel-rbac through 2.1.0-rc.2, where the xDS interface lacks authentication. This flaw allows any client with unrestricted network access to the xDS port to access potentially sensitive configuration data. The exposed information may include certificate data, backend service details, routing rules, and cluster metadata. The vulnerability arises from the absence of authorization, enabling anonymous clients to retrieve xDS data and sensitive gateway configuration information.
Impact
The lack of authentication in the xDS interface could lead to unauthorized access to sensitive gateway configuration data, including certificates, backend service information, routing rules, and cluster metadata.
Remediation
Users can upgrade to Kgateway version 2.0.5 or 2.1.0, both of which enable JWT-based authentication for the xDS interface by default. If an immediate upgrade is not possible, NetworkPolicies can be implemented to block access to Kgateway's xDS port, allowing only trusted sources to connect.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.