VDB
KO
MEDIUM

GHSA-v95x-xhq5-4929

kumactl connects to control plane without verifying TLS certificate when no CA is configured

Details

When an operator adds an HTTPS control plane profile to `kumactl` without providing a CA certificate, `kumactl` disables TLS verification and sends API tokens over the unverified connection

## Impact

An attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user

## Affected configurations

- `kumactl` profiles manually added against an HTTPS control plane endpoint without `--ca-cert-file`

## Not affected

- The default local profile, which uses plain HTTP

## Workarounds

When adding an HTTPS control plane profile to `kumactl`, always pass `--ca-cert-file` pointing at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration

## Resources

- Fix: https://github.com/kumahq/kuma/pull/16777

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/kumahq/kuma/v2
Introduced in: 0 Fixed in: 2.7.26
Fix go get github.com/kumahq/kuma/v2@v2.7.26
Go / github.com/kumahq/kuma/v2
Introduced in: 2.8.0 Fixed in: 2.9.16
Fix go get github.com/kumahq/kuma/v2@v2.9.16
Go / github.com/kumahq/kuma/v2
Introduced in: 2.10.0 Fixed in: 2.11.14
Fix go get github.com/kumahq/kuma/v2@v2.11.14
Go / github.com/kumahq/kuma/v2
Introduced in: 2.12.0 Fixed in: 2.12.11
Fix go get github.com/kumahq/kuma/v2@v2.12.11
Go / github.com/kumahq/kuma/v2
Introduced in: 2.13.0 Fixed in: 2.13.7
Fix go get github.com/kumahq/kuma/v2@v2.13.7
Go / github.com/kumahq/kuma
Introduced in: 0

No fixed version published yet for github.com/kumahq/kuma (go modules). Pin to a known-safe version or switch to an alternative.

References