2136675 – (CVE-2022-3294) CVE-2022-3294 kubernetes: node address isn't always verified when proxying

Bug 2136675 (CVE-2022-3294) - CVE-2022-3294 kubernetes: node address isn't always verified when proxying

Summary: CVE-2022-3294 kubernetes: node address isn't always verified when proxying

Keywords:
Status:	NEW
Alias:	CVE-2022-3294
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2141990 2141991
Blocks:	2134975
TreeView+	depends on / blocked

Reported:	2022-10-20 22:18 UTC by Anten Skrabec
Modified:	2024-03-19 18:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:	Kubernetes kube-apiserver 1.25.4, Kubernetes kube-apiserver 1.24.8, Kubernetes kube-apiserver 1.23.14, Kubernetes kube-apiserver 1.22.16
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Anten Skrabec 2022-10-20 22:18:22 UTC

A security issue was discovered in Kubernetes where users may have access
to secure endpoints in the control plane network. Kubernetes clusters are
only affected if an untrusted user can to modify Node objects and send
requests proxying through them.

Comment 3 Avinash Hanwate 2022-11-11 11:02:27 UTC

Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2141991]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2141990]

Note You need to log in before you can comment on or make changes to this bug.