CVE-2025-62714
Karmada Dashboard API Unauthorized Access Vulnerability
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.7EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
24 out 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Produtos afetados
karmada-io · dashboardQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/karmada-io/dashboard/commit/8457b8bb87725e2371a638ca5a255fd2895c70f1https://github.com/karmada-io/dashboard/commit/d2d04909f25e96b4c20fa6b636c398bd1636ee06https://github.com/karmada-io/dashboard/pull/271https://github.com/karmada-io/dashboard/pull/280https://github.com/karmada-io/dashboard/releases/tag/v0.2.0https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92