The Kubernetes community recently discovered vulnerability CVE-2022-3172. Attackers can use an aggregated API server to redirect client traffic to a custom URL. This can lead to privilege escalation or sensitive information leakage.

CVE-2022-3172 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 5.1.

Affected versions

The following kube-apiserver versions are affected:

  • v1.25.0
  • v1.24.0~v1.24.4
  • v1.23.0~v1.23.10
  • v1.22.0~v1.22.13
  • ≤ V1.21

This vulnerability is fixed in the following kube-apiserver versions:

  • v1.25.1
  • v1.24.5
  • v1.23.11
  • v1.22.14

Impacts

Attackers that have read and write permissions on APIService objects can use an aggregated API server to redirect client traffic to a custom URL. This can lead to privilege escalation or sensitive information leakage.

Mitigation

  1. Make sure only trusted users have read and write permissions on APIService objects. This prevents untrusted users from deploying and controlling an aggregated API server by using APIService objects.
    Note No mitigation measures are available for this vulnerability. We recommend that you do not grant untrusted users access to aggregated API servers. Do not grant untrusted users read and write permissions on APIService objects.
  2. You can take note of the release notes of ACK and update your cluster to fix this vulnerability at the earliest opportunity.