CVE-2022-3294

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-3294
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3294.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-3294
Aliases
Downstream
Related
Published
2023-03-01T19:15:25.570Z
Modified
2026-02-07T03:55:44.345149Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

References

Affected packages

Git / github.com/kubernetes/kubelet

Affected ranges

Type
GIT
Repo
https://github.com/kubernetes/kubelet
Events
Introduced
dfb3e7ad852bb4bddb790a705c185cef198c2823
Fixed
0f3bf5c4007b7cdaedd76a42d5a596996ee5b085
Fixed
8101aa62e43b04b5092715d892c7e6b08ee1b9d0
Introduced
d37f045d808033445aaa284ad80454c948b37958
Fixed
8faa8adc2ecf68ad1c3be07cbec7ba900e2538a4
Introduced
b1292eb3207057f0274a51330ba8d612f4faadd6
Fixed
d81cda24db83d0ae4082a6d84ed5d208598021db

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3294.json"

Git / github.com/kubernetes/kubernetes

Affected ranges

Type
GIT
Repo
https://github.com/kubernetes/kubernetes
Events
Introduced
ab69524f795c42094a6630298ff53f3c3ebab7f4
Fixed
3321ffc07d2f046afdf613796f9032f4460de093
Introduced
a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2
Fixed
872a965c6c6526caa949f0c6ac028ef7aff3fb78
Fixed
b28e1f370a4a4c428ddbeababcaf0198f048fcac
Introduced
4ce5a8954017644c5420bae81d72b09b735c21f0
Fixed
fdc77503e954d1ee641c0e350481f7528e8d068b

Affected versions

v1.*
v1.23.0
v1.23.1
v1.23.1-rc.0
v1.23.10
v1.23.10-rc.0
v1.23.11
v1.23.11-rc.0
v1.23.12
v1.23.12-rc.0
v1.23.13
v1.23.13-rc.0
v1.23.14-rc.0
v1.23.2
v1.23.2-rc.0
v1.23.3
v1.23.3-rc.0
v1.23.4
v1.23.4-rc.0
v1.23.5
v1.23.5-rc.0
v1.23.6
v1.23.6-rc.0
v1.23.7
v1.23.7-rc.0
v1.23.8
v1.23.8-rc.0
v1.23.9
v1.23.9-rc.0
v1.24.0
v1.24.1
v1.24.1-rc.0
v1.24.2
v1.24.2-rc.0
v1.24.3
v1.24.3-rc.0
v1.24.4
v1.24.4-rc.0
v1.24.5
v1.24.5-rc.0
v1.24.6
v1.24.6-rc.0
v1.24.7
v1.24.7-rc.0
v1.24.8-rc.0
v1.25.0
v1.25.1
v1.25.1-rc.0
v1.25.2
v1.25.2-rc.0
v1.25.3
v1.25.3-rc.0
v1.25.4-rc.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3294.json"