CVE-2022-3162
Description
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.20.5+really1.20.2-1 |
| sid | Fixed | 1.20.5+really1.20.2-1 |
| forky | Fixed | 1.20.5+really1.20.2-1 |
| bullseye | Fixed | 1.20.5+really1.20.2-1 |
| bookworm | Fixed | 1.20.5+really1.20.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/kubernetes/kubernetes | >=1.25.0,<1.25.4 | 1.25.4 |
| Go | github.com/kubernetes/kubernetes | >=1.24.0,<1.24.8 | 1.24.8 |
| Go | github.com/kubernetes/kubernetes | >=1.23.0,<1.23.14 | 1.23.14 |
| Go | github.com/kubernetes/kubernetes | >=1.22.0,<1.22.16 | 1.22.16 |
| Go | k8s.io/kubernetes | >=1.25.0,<1.25.4 | 1.22.16 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-3162
- https://github.com/kubernetes/kubernetes/issues/113756
- https://github.com/kubernetes/kubernetes
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
- https://security.netapp.com/advisory/ntap-20230511-0004
- https://www.suse.com/security/cve/CVE-2022-3162.html
- https://github.com/advisories/GHSA-2394-5535-8j88
- https://security-tracker.debian.org/tracker/CVE-2022-3162
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.