CVE-2024-0793Improper Input Validation in Kubernetes

CWE-20Improper Input ValidationCWE-476NULL Pointer Dereference6 documents5 sources
Severity
7.7HIGHNVD
EPSS
0.1%
top 66.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
K8s.io Kubernetes
Timeline
PublishedNov 17
Latest updateNov 19

Description

A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

Gok8s.io/kubernetes< 1.27.0-alpha.1

🔴Vulnerability Details

4
OSV
Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes2024-11-19
GHSA
Kubernetes Nil pointer dereference in KCM after v1 HPA patch request2024-11-17
OSV
Kubernetes Nil pointer dereference in KCM after v1 HPA patch request2024-11-17
CVEList
Kube-controller-manager: malformed hpa v1 manifest causes crash2024-11-17

📋Vendor Advisories

1
Red Hat
kube-controller-manager: malformed HPA v1 manifest causes crash2024-02-07
CVE-2024-0793 — Improper Input Validation in Kubernetes | cvebase