← Zuruck zu CVEs
CVE-2022-3162
MEDIUM6.5
Beschreibung
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
CVE Details
CVSS v3.1 Bewertung6.5
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht3/1/2023
Zuletzt geandert11/21/2024
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
kubernetes:kubernetes
Schwachen (CWE)
CWE-23CWE-22
Referenzen
https://github.com/kubernetes/kubernetes/issues/113756(jordan@liggitt.net)
https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA(jordan@liggitt.net)
https://security.netapp.com/advisory/ntap-20230511-0004/(jordan@liggitt.net)
https://github.com/kubernetes/kubernetes/issues/113756(af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230511-0004/(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.