CVE-2022-3162
Last modified
CVE-2022-3162 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. EPSS estimates a 1.19% chance of exploitation in the next 30 days.
Description
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | <= 1.22.15 |
| Kubernetes | Kubernetes | >= 1.23.0, <= 1.23.13 |
| Kubernetes | Kubernetes | >= 1.24.0, <= 1.24.7 |
| Kubernetes | Kubernetes | >= 1.25.0, <= 1.25.3 |
References
- https://github.com/kubernetes/kubernetes/issues/113756Issue Tracking, Vendor Advisory
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjAMailing List, Vendor Advisory
- https://github.com/kubernetes/kubernetes/issues/113756Issue Tracking, Vendor Advisory
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjAMailing List, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-3162?
How severe is CVE-2022-3162?
How do I fix CVE-2022-3162?
Are you affected by CVE-2022-3162?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST