CVE-2022-3294 Affecting kubectl package, versions <0:1.24.8-1.el8


Severity

Recommended
0.0
high
0
10

Based on Oracle Linux security rating

    Threat Intelligence

    EPSS
    0.17% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-ORACLE8-KUBECTL-3151027
  • published 1 Dec 2022
  • disclosed 1 Mar 2023

How to fix?

Upgrade Oracle:8 kubectl to version 0:1.24.8-1.el8 or higher.
This issue was patched in ELSA-2022-10036.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kubectl package and not the kubectl package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

CVSS Scores

version 3.1
Expand this section

NVD

8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

SUSE

6.6 medium
Expand this section

Red Hat

8.8 high