CVE-2025-29922

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/kcp-dev/kcp/commit/614ecbf35f11db00f65391ab6fbb1547ca8b5d38
https://github.com/kcp-dev/kcp/pull/3338
https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp

Configurations

No configuration.

History

20 Mar 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 18:15

Updated : 2025-03-20 18:15

NVD link : CVE-2025-29922

Mitre link : CVE-2025-29922

CVE.ORG link : CVE-2025-29922

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

9.6 /10