The Kubernetes community recently discovered vulnerability CVE-2022-3172. Attackers can use an aggregated API server to redirect client traffic to a custom URL. This can lead to privilege escalation or sensitive information leakage.
CVE-2022-3172 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 5.1.
Affected versions
The following kube-apiserver versions are affected:
- v1.25.0
- v1.24.0~v1.24.4
- v1.23.0~v1.23.10
- v1.22.0~v1.22.13
- ≤ V1.21
This vulnerability is fixed in the following kube-apiserver versions:
- v1.25.1
- v1.24.5
- v1.23.11
- v1.22.14
Impacts
Attackers that have read and write permissions on APIService
objects can use an aggregated API server to redirect client traffic to a custom URL.
This can lead to privilege escalation or sensitive information leakage.