CVE-2023-48713

28.11.2023, 04:15

Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Vendor	Product	Version
knative	serving	𝑥 < 1.10.5
knative	serving	1.11.0 ≤ 𝑥 < 1.11.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca

https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1

https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a

https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547

https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca

https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1

https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a

https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547