In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade github.com/kcp-dev/kcp/pkg/authorization/bootstrap
to version 0.26.1 or higher.
Affected versions of this package are vulnerable to Improper Authorization due to the impersonate
verb. An attacker can gain unauthorized access to global administrative groups by exploiting the impersonation feature, which is intended for users with high privilege levels such as cluster-admin
.
This vulnerability can be mitigated by not assigning the cluster-admin
role or any other role granting blanket impersonation permissions to users. Additionally, implementing a reverse proxy to check for the Impersonate-Group
header and reject requests impersonating global administrative groups can further secure the system.