Improper access control in apiserver

#VU71364 Improper access control in apiserver

Published: 2023-01-19

Vulnerability identifier: #VU71364

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3162

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
apiserver
Web applications / Other software

Vendor: Kubernetes

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different kind in the same API group they are not authorized to read.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

apiserver: 1.22.0 - 1.25.3

External links
http://access.redhat.com/errata/RHSA-2022:7399

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9

Multiple vulnerabilities in IBM Storage Fusion

openEuler 22.03 LTS SP2 update for kubernetes

openEuler 22.03 LTS SP1 update for kubernetes

openEuler 22.03 LTS update for kubernetes

openEuler 20.03 LTS SP3 update for kubernetes

Multiple vulnerabiltiies in Red Hat OpenShift Service Mesh Containers 2.4

SUSE update for kubernetes1.23

Multiple vulnerabilities in IBM InfoSphere Information Server

Multiple vulnerabilities in OpenShift Container Platform 4.12