Kubernetes vulnerable to path traversal

GHSA-2394-5535-8j88 · CVE-2022-3162 · GO-2023-1628

Published Mar 1, 2023 · Modified Aug 20, 2024

Description

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-3162
WEB https://github.com/kubernetes/kubernetes/issues/113756
PACKAGE https://github.com/kubernetes/kubernetes
WEB https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
WEB https://security.netapp.com/advisory/ntap-20230511-0004

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes