x/vulndb: potential Go vuln in github.com/karmada-io/dashboard: GHSA-5qjg-9mjh-4r92 #4072
Description
Advisory GHSA-5qjg-9mjh-4r92 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/karmada-io/dashboard |
Description:
Impact
This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.
Patches
The issue has been ...
References:
- ADVISORY: GHSA-5qjg-9mjh-4r92
- ADVISORY: GHSA-5qjg-9mjh-4r92
- FIX: fix(security): add auth to all kinds of api request karmada-io/dashboard#271
- FIX: add auth for terminal karmada-io/dashboard#280
- WEB: https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/karmada-io/dashboard
versions:
- fixed: 0.2.0
vulnerable_at: 0.1.0
summary: Karmada Dashboard API Unauthorized Access Vulnerability in github.com/karmada-io/dashboard
cves:
- CVE-2025-62714
ghsas:
- GHSA-5qjg-9mjh-4r92
references:
- advisory: https://github.com/advisories/GHSA-5qjg-9mjh-4r92
- advisory: https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92
- fix: https://github.com/karmada-io/dashboard/pull/271
- fix: https://github.com/karmada-io/dashboard/pull/280
- web: https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
source:
id: GHSA-5qjg-9mjh-4r92
created: 2025-10-24T16:01:34.040821181Z
review_status: UNREVIEWED