CVE-2022-3162

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
kubernetesCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
kuberneteskubernetes
𝑥
≤ 1.22.15
kuberneteskubernetes
1.23.0 ≤
𝑥
≤ 1.23.13
kuberneteskubernetes
1.24.0 ≤
𝑥
≤ 1.24.7
kuberneteskubernetes
1.25.0 ≤
𝑥
≤ 1.25.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
kubernetes
bullseye
1.20.5+really1.20.2-1
fixed
sid
1.20.5+really1.20.2-1.1
fixed
trixie
1.20.5+really1.20.2-1.1
fixed
bookworm
1.20.5+really1.20.2-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kubernetes
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
dne
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/kubernetes/kubernetes/issues/113756
https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
https://security.netapp.com/advisory/ntap-20230511-0004/
https://github.com/kubernetes/kubernetes/issues/113756
https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
https://security.netapp.com/advisory/ntap-20230511-0004/