CVE-2025-62714
BaseFortify
Publication date: 2025-10-24
Last updated on: 2025-10-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| karmada | dashboard | 0.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in the Karmada Dashboard API prior to version 0.2.0. While the web UI required a valid JWT token for access, the backend API endpoints such as /api/v1/secret and /api/v1/service did not enforce any authentication. This allowed unauthenticated users with network access to the Karmada Dashboard service to directly access sensitive cluster information like Secrets and Services without any authentication checks.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to access sensitive cluster information, including Secrets and Services, without authentication. This can lead to exposure of confidential data, potential compromise of cluster security, and unauthorized access to critical resources managed by the Karmada Dashboard.