CVE-2022-3162Relative Path Traversal in Kubernetes Kubernetes

CWE-23Relative Path TraversalCWE-22Path Traversal9 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
1.0%
top 22.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
KubernetesGithub.com Kubernetes KubernetesK8s.io Kubernetes
Timeline
PublishedMar 1
Latest updateAug 20

Description

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API gr

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

Gok8s.io/kubernetes1.22.01.22.16+3
Gogithub.com/kubernetes_kubernetes1.25.01.25.4+3
Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3
CVEListV5kubernetes/kubernetesunspecifiedv1.25.3+3
NVDkubernetes/kubernetes1.23.01.23.13+3

🔴Vulnerability Details

5
OSV
Kubernetes vulnerable to path traversal in k8s.io/kubernetes2024-08-20
OSV
Kubernetes vulnerable to path traversal2023-03-01
OSV
CVE-2022-3162: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API gr2023-03-01
GHSA
Kubernetes vulnerable to path traversal2023-03-01
CVEList
Unauthorized read of Custom Resources2023-03-01

📋Vendor Advisories

3
Microsoft
Unauthorized read of Custom Resources2023-03-14
Red Hat
kubernetes: Unauthorized read of Custom Resources2022-11-10
Debian
CVE-2022-3162: kubernetes - Users authorized to list or watch one type of namespaced custom resource cluster...2022
CVE-2022-3162 — Relative Path Traversal | cvebase