GHSA-2394-5535-8j88

Source

https://github.com/advisories/GHSA-2394-5535-8j88

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-2394-5535-8j88/GHSA-2394-5535-8j88.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2394-5535-8j88

Aliases

Published

2023-03-01T21:30:18Z

Modified

2024-08-20T20:59:13.567682Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Kubernetes vulnerable to path traversal

Details

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

References

Affected packages

Go / github.com/kubernetes/kubernetes

Package

Name: github.com/kubernetes/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.25.0

Fixed

1.25.4

Database specific

{
    "last_known_affected_version_range": "< 1.25.3"
}

Go / github.com/kubernetes/kubernetes

Package

Name: github.com/kubernetes/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.24.0

Fixed

1.24.8

Go / github.com/kubernetes/kubernetes

Package

Name: github.com/kubernetes/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.23.0

Fixed

1.23.14

Go / github.com/kubernetes/kubernetes

Package

Name: github.com/kubernetes/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/github.com/kubernetes/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.22.0

Fixed

1.22.16