vCluster Platform Access Key Scope Bypass Vulnerability

A vulnerability exists in vCluster Platform versions prior to 4.5.3, 4.4.2, and 4.3.10, allowing access keys with limited scopes to bypass restrictions and access resources outside their intended limits. However, users cannot access resources beyond what is available to the owner of the access key. This issue could lead to unauthorized access to certain resources, depending on the permissions of the access key owner.

Impact

Exploitation of this vulnerability could result in unauthorized access to resources across virtual clusters and projects, potentially leading to exposure of sensitive data or disruption of services.

Remediation

Users can upgrade to vCluster Platform versions 4.6.0, 4.5.4, 4.4.2, or 4.3.10 to address this vulnerability. If an immediate upgrade is not possible, review scoped access keys and ensure users with access have appropriate permissions. As a temporary workaround, create automation users with limited permissions and use access keys for these users.