CVE-2022-3162

DEB

Medium

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the …

CVSS

6.5

Medium

EPSS

0.01

p63

Published

2022-01-01

Updated

2022-01-01

Description

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

Tags · CWE

CWE-23

CAPEC-76

CAPEC-139

Affected products

Kubernetes ≤ 1.22.15Kubernetes 1.23.0–1.23.13Kubernetes 1.24.0–1.24.7Kubernetes 1.25.0–1.25.3

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

2022-01-01

Published

2022-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: L

Low (L)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: N

None (N)

Availability Impact

A: N

None (N)

Exploit indicators

EPSS

0.012 · p63

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Product	Vendor	Status
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
kubernetes		Tracked
microshift		Tracked
openshift		Tracked
kubernetes	*	Tracked

Source databases

DEB

CVE

RED

UBU

Related vulnerabilities

BDU:2022-06757