Advisories for Golang/Github.com/Karmada-Io/Karmada package

An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

Impact What kind of vulnerability is it? Who is impacted? The Karmada components deployed with karmadactl, karma-operator, and helm chart take Golang default cipher suites as part of the TLS protocol, which includes the insecure algorithm. Referring to https://github.com/golang/go/issues/41476#issuecomment-694914728, the 3DES algorithm vulnerability is very unlikely to be attacked. However, to address the concerns and to avoid being disturbed by the security scanner, Karmada has decided to limit the cipher …