x/vulndb: potential Go vuln in github.com/kcp-dev/kcp: GHSA-c7xh-gjv4-4jgv

[GoVulnBot]

Advisory GHSA-c7xh-gjv4-4jgv references a vulnerability in the following Go modules:

Module
github.com/kcp-dev/kcp

Description:

Impact

Impersonation is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation.

The vulnerability in kcp affects kcp installations in which users are granted the cluster-admin ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is impersonate) with...

References:

• ADVISORY: GHSA-c7xh-gjv4-4jgv
• ADVISORY: GHSA-c7xh-gjv4-4jgv
• FIX: kcp-dev/kcp@24ab5d4
• FIX: 🐛 Fix impersonation for non-system users kcp-dev/kcp#3206

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/kcp-dev/kcp
      non_go_versions:
        - introduced: TODO (earliest fixed "0.26.1", vuln range "<= 0.26.0")
      vulnerable_at: 0.26.1
summary: kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp
ghsas:
    - GHSA-c7xh-gjv4-4jgv
references:
    - advisory: https://github.com/advisories/GHSA-c7xh-gjv4-4jgv
    - advisory: https://github.com/kcp-dev/kcp/security/advisories/GHSA-c7xh-gjv4-4jgv
    - fix: https://github.com/kcp-dev/kcp/commit/24ab5d4dc35ddff98a2e5fdc236e1681f03283ec
    - fix: https://github.com/kcp-dev/kcp/pull/3206
source:
    id: GHSA-c7xh-gjv4-4jgv
    created: 2024-12-11T19:01:29.17593584Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/635223 mentions this issue: data/reports: add 5 unreviewed reports