This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: kcp (Kubernetes control plane) has an **Authorization Flaw** in `APIExport VirtualWorkspace`. <br>π₯ **Consequences**: Attackers can create or delete objects in **any target workspace**.β¦
π‘οΈ **CWE**: CWE-285 (Improper Authorization). <br>π **Flaw**: The `APIExport VirtualWorkspace` endpoint fails to properly validate permissions before allowing object creation/deletion across different workspaces.
Q3Who is affected? (Versions/Components)
π¦ **Vendor**: kcp-dev. <br>π¦ **Product**: kcp. <br>π **Affected Versions**: **< 0.26.3**. If you are running 0.26.2 or earlier, you are vulnerable!
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: <br>1οΈβ£ **Create** arbitrary objects in any workspace. <br>2οΈβ£ **Delete** critical objects in any workspace. <br>3οΈβ£ **Bypass** workspace isolation boundaries.β¦
π« **Public Exploit**: **No**. <br>π **Status**: No PoC or wild exploitation detected in the provided data. <br>π **Risk**: Theoretical but high impact due to the nature of the flaw.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1οΈβ£ Check your kcp version (`kcp version`). <br>2οΈβ£ Verify if version < 0.26.3. <br>3οΈβ£ Audit `APIExport` configurations for `VirtualWorkspace` usage.β¦
β **Fixed**: **Yes**. <br>π§ **Patch**: Upgrade to **kcp 0.26.3** or later. <br>π **Reference**: See GitHub commit `614ecbf` and PR #3338 for the fix details.
Q9What if no patch? (Workaround)
π‘οΈ **Workaround (No Patch)**: <br>1οΈβ£ **Restrict Access**: Limit network access to `APIExport` endpoints. <br>2οΈβ£ **RBAC Hardening**: Apply strict RBAC policies to `VirtualWorkspace` users.β¦
β‘ **Priority**: **HIGH**. <br>π **Published**: 2025-03-20. <br>π **CVSS**: 8.6 (High). <br>π‘ **Action**: Patch immediately if running < 0.26.3. The impact on confidentiality and integrity is High (C:H, I:H).