CVE-2022-3172
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
03/11/2023
Last modified:
13/02/2025
Description
A security issue was discovered in kube-apiserver that allows an <br />
aggregated API server to redirect client traffic to any URL. This could<br />
lead to the client performing unexpected actions as well as forwarding <br />
the client&#39;s API server credentials to third parties.
Impact
Base Score 3.x
5.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:kubernetes:apiserver:*:*:*:*:*:*:*:* | 1.21.14 (including) | |
| cpe:2.3:a:kubernetes:apiserver:*:*:*:*:*:*:*:* | 1.22.0 (including) | 1.22.14 (excluding) |
| cpe:2.3:a:kubernetes:apiserver:*:*:*:*:*:*:*:* | 1.23.0 (including) | 1.23.11 (excluding) |
| cpe:2.3:a:kubernetes:apiserver:*:*:*:*:*:*:*:* | 1.24.0 (including) | 1.24.5 (excluding) |
| cpe:2.3:a:kubernetes:apiserver:1.25.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/kubernetes/kubernetes/issues/112513
- https://groups.google.com/g/kubernetes-security-announce/c/_aLzYMpPRak
- https://security.netapp.com/advisory/ntap-20231221-0005/
- https://github.com/kubernetes/kubernetes/issues/112513
- https://groups.google.com/g/kubernetes-security-announce/c/_aLzYMpPRak
- https://security.netapp.com/advisory/ntap-20231221-0005/