{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3294", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "dateUpdated": "2025-03-07T18:34:22.358Z", "dateReserved": "2022-09-23T00:00:00.000Z", "datePublished": "2023-03-01T00:00:00.000Z"}, "containers": {"cna": {"title": "Node address isn't always verified when proxying", "datePublic": "2022-11-10T00:00:00.000Z", "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-05-05T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network."}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"version": "unspecified", "lessThanOrEqual": "v1.25.3", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.24.7", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.23.13", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.22.15", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}], "credits": [{"lang": "en", "value": "Yuval Avrahami of Palo Alto Networks"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/113757"], "discovery": "EXTERNAL"}, "workarounds": [{"lang": "en", "value": "Configuring an egress proxy for egress to the cluster network can mitigate this vulnerability"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:05.856Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA", "tags": ["x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T18:34:14.280156Z", "id": "CVE-2022-3294", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T18:34:22.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA", "tags": ["x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:05.856Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-07T18:34:14.280156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T18:34:18.652Z"}}], "cna": {"title": "Node address isn't always verified when proxying", "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/113757"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Yuval Avrahami of Palo Alto Networks"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v1.25.3"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v1.24.7"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v1.23.13"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "v1.22.15"}]}], "datePublic": "2022-11-10T00:00:00.000Z", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}], "workarounds": [{"lang": "en", "value": "Configuring an egress proxy for egress to the cluster network can mitigate this vulnerability"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-05-05T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3294", "state": "PUBLISHED", "dateUpdated": "2025-03-07T18:34:22.358Z", "dateReserved": "2022-09-23T00:00:00.000Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2023-03-01T00:00:00.000Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "38E275C4-8711-435F-85D8-073116D467CF", "versionEndExcluding": "1.22.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "16AF218C-A7AD-4A8A-9F97-A89D1ADC6C67", "versionEndExcluding": "1.23.14", "versionStartIncluding": "1.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD71BF6D-ABA3-4974-856B-10B9450C741F", "versionEndExcluding": "1.24.8", "versionStartIncluding": "1.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "105810A5-2E62-441A-B07B-9F8A0E774712", "versionEndExcluding": "1.25.4", "versionStartIncluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network."}], "id": "CVE-2022-3294", "lastModified": "2024-11-21T07:19:14.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-01T19:15:25.570", "references": [{"source": "jordan@liggitt.net", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"source": "jordan@liggitt.net", "url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Kubernetes Security Response Committee as the original reporter.", "affected_release": [{"advisory": "RHBA-2023:0452", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "microshift-0:4.12.1-202301261525.p0.g3db9e81.assembly.4.12.1.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2023-01-30T00:00:00Z"}], "bugzilla": {"description": "kubernetes: node address isn't always verified when proxying", "id": "2136675", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136675"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-288", "details": ["Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.", "A flaw was found in Kubernetes, where users may have access to secure endpoints in the control plane network. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in the kube-apiserver made it possible to bypass this validation. Bypassing this validation allows authenticated requests destined for Nodes to redirect to the API Server through its private network."], "name": "CVE-2022-3294", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-11-10T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3294\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3294\nhttps://github.com/kubernetes/kubernetes/issues/113757"], "statement": "Kubernetes clusters are only affected if an untrusted user can modify Node objects and send requests proxying through them.\nThe \"openshift\" component of Red Hat OpenShift Container Platform 4 was fixed in RHBA-2023:0452 and as such is marked not affected.", "threat_severity": "Moderate"}