CVE-2022-3162: Undocumented Read Escalation via Namespaced CRDs in K8s
CVE-2022-3162 Published on March 1, 2023
Unauthorized read of Custom Resources
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
Vulnerability Analysis
CVE-2022-3162 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Products Associated with CVE-2022-3162
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-3162 are published in Kubernetes:
Affected Versions
Kubernetes:- Version unspecified, <= v1.25.3 is affected.
- Version unspecified, <= v1.24.7 is affected.
- Version unspecified, <= v1.23.13 is affected.
- Version unspecified, <= v1.22.15 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.