GHSA-v95x-xhq5-4929
kumactl connects to control plane without verifying TLS certificate when no CA is configured
Details
When an operator adds an HTTPS control plane profile to `kumactl` without providing a CA certificate, `kumactl` disables TLS verification and sends API tokens over the unverified connection
## Impact
An attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user
## Affected configurations
- `kumactl` profiles manually added against an HTTPS control plane endpoint without `--ca-cert-file`
## Not affected
- The default local profile, which uses plain HTTP
## Workarounds
When adding an HTTPS control plane profile to `kumactl`, always pass `--ca-cert-file` pointing at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
## Resources
- Fix: https://github.com/kumahq/kuma/pull/16777
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.7.26 go get github.com/kumahq/kuma/v2@v2.7.26 2.8.0 Fixed in: 2.9.16 go get github.com/kumahq/kuma/v2@v2.9.16 2.10.0 Fixed in: 2.11.14 go get github.com/kumahq/kuma/v2@v2.11.14 2.12.0 Fixed in: 2.12.11 go get github.com/kumahq/kuma/v2@v2.12.11 2.13.0 Fixed in: 2.13.7 go get github.com/kumahq/kuma/v2@v2.13.7 0 No fixed version published yet for github.com/kumahq/kuma (go modules). Pin to a known-safe version or switch to an alternative.