Critical severityNVD Advisory· Published Aug 12, 2024· Updated Aug 12, 2024
Kamaji's RBAC Roles for `etcd` are not disjunct
CVE-2024-42480
Description
Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/clastix/kamajiGo | <= 1.0.0 | — |
Affected products
1Patches
11731e8c2ed51Merge commit from fork
1 file changed · +12 −9
internal/datastore/etcd.go+12 −9 modified@@ -16,13 +16,6 @@ import ( "github.com/clastix/kamaji/internal/datastore/errors" ) -const ( - // rangeEnd is the key following the last key of the range. - // If rangeEnd is ‘\0’, the range is all keys greater than or equal to the key argument - // source: https://etcd.io/docs/v3.5/learning/api/ - rangeEnd = "\\0" -) - func NewETCDConnection(config ConnectionConfig) (Connection, error) { endpoints := make([]string, 0, len(config.Endpoints)) @@ -68,7 +61,8 @@ func (e *EtcdClient) GrantPrivileges(ctx context.Context, user, dbName string) e permission := etcdclient.PermissionType(authpb.READWRITE) key := e.buildKey(dbName) - if _, err := e.Client.RoleGrantPermission(ctx, user, key, rangeEnd, permission); err != nil { + + if _, err := e.Client.RoleGrantPermission(ctx, user, key, etcdclient.GetPrefixRangeEnd(key), permission); err != nil { return errors.NewGrantPrivilegesError(err) } @@ -170,6 +164,13 @@ func (e *EtcdClient) Driver() string { return string(kamajiv1alpha1.EtcdDriver) } +// buildKey adds slashes to the beginning and end of the key. This ensures that the range +// end for etcd RBAC is calculated using the entire key prefix, not only the key name. If +// the range end was calculated e.g. for `/cp-a`, the result would be `/cp-b`, which also +// includes `/cp-aa` (etcd uses lexicographic ordering on key ranges for RBAC). Using +// `/cp-a/` as the input for the range end calculation results in `/cp-a0`, which doesn't +// allow for any other potential control plane key prefixes to be located within the range. +// For more information, see also https://etcd.io/docs/v3.3/learning/api/#key-ranges func (e *EtcdClient) buildKey(key string) string { return fmt.Sprintf("/%s/", key) } @@ -181,7 +182,9 @@ func (e *EtcdClient) Migrate(ctx context.Context, tcp kamajiv1alpha1.TenantContr return err } - response, err := e.Client.Get(ctx, e.buildKey(fmt.Sprintf("%s_%s", tcp.GetNamespace(), tcp.GetName())), etcdclient.WithRange(rangeEnd)) + key := e.buildKey(fmt.Sprintf("%s_%s", tcp.GetNamespace(), tcp.GetName())) + + response, err := e.Client.Get(ctx, key, etcdclient.WithPrefix()) if err != nil { return err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6r4j-4rjc-8vw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-42480ghsaADVISORY
- github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.goghsax_refsource_MISCWEB
- github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3dbghsax_refsource_MISCWEB
- github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.