GHSA-2394-5535-8j88

Suggest an improvement
Source
https://github.com/advisories/GHSA-2394-5535-8j88
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-2394-5535-8j88/GHSA-2394-5535-8j88.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2394-5535-8j88
Aliases
Published
2023-03-01T21:30:18Z
Modified
2024-08-20T20:59:13.567682Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Kubernetes vulnerable to path traversal
Details

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

References

Affected packages

Go / github.com/kubernetes/kubernetes

Package

Name
github.com/kubernetes/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.25.0
Fixed
1.25.4

Database specific

{
    "last_known_affected_version_range": "< 1.25.3"
}

Go / github.com/kubernetes/kubernetes

Package

Name
github.com/kubernetes/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.24.0
Fixed
1.24.8

Go / github.com/kubernetes/kubernetes

Package

Name
github.com/kubernetes/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.23.0
Fixed
1.23.14

Go / github.com/kubernetes/kubernetes

Package

Name
github.com/kubernetes/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.22.0
Fixed
1.22.16