Vulnerability Description
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | <= 1.22.15 |
Related Weaknesses (CWE)
References
- https://github.com/kubernetes/kubernetes/issues/113756Issue TrackingVendor Advisory
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjAMailing ListVendor Advisory
- https://security.netapp.com/advisory/ntap-20230511-0004/
- https://github.com/kubernetes/kubernetes/issues/113756Issue TrackingVendor Advisory
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjAMailing ListVendor Advisory
- https://security.netapp.com/advisory/ntap-20230511-0004/
FAQ
What is CVE-2022-3162?
CVE-2022-3162 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted b...
How severe is CVE-2022-3162?
CVE-2022-3162 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-3162?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kubernetes.