github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Add CVE-2022-3162 to CHANGELOG-1.24.md

Browse Source 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
This commit is contained in:
Marko Mudrinić 2022-11-10 19:40:38 +01:00
parent 2432d6d1fd
commit 04ad0d4b67
No known key found for this signature in database
GPG Key ID: F15730C52ACE0E9D
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CHANGELOG/CHANGELOG-1.24.md
View File

@ -9,6 +9,7 @@
- [Container Images](#container-images)
- [Changelog since v1.24.7](#changelog-since-v1247)
- [Important Security Information](#important-security-information)
- [CVE-2022-3162: Unauthorized read of Custom Resources](#cve-2022-3162-unauthorized-read-of-custom-resources)
- [CVE-2022-3294: Node address isn't always verified when proxying](#cve-2022-3294-node-address-isnt-always-verified-when-proxying)
- [Changes by Kind](#changes-by-kind)
- [API Change](#api-change)
@ -57,7 +58,7 @@
- [Changelog since v1.24.4](#changelog-since-v1244)
- [Important Security Information](#important-security-information-1)
- [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf)
- [CVE-2021-25749: <code>runAsNonRoot</code> logic bypass for Windows containers](#cve-2021-25749-runasnonroot-logic-bypass-for-windows-containers)
- [CVE-2021-25749: `runAsNonRoot` logic bypass for Windows containers](#cve-2021-25749-runasnonroot-logic-bypass-for-windows-containers)
- [Am I vulnerable?](#am-i-vulnerable)
- [Affected Versions](#affected-versions)
- [How do I mitigate this vulnerability?](#how-do-i-mitigate-this-vulnerability)
@ -364,6 +365,28 @@ name | architectures
This release contains changes that address the following vulnerabilities:
### CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
**Affected Versions**:
- kube-apiserver v1.25.0 - v1.25.3
- kube-apiserver v1.24.0 - v1.24.7
- kube-apiserver v1.23.0 - v1.23.13
- kube-apiserver v1.22.0 - v1.22.15
- kube-apiserver <= v1.21.?
**Fixed Versions**:
- kube-apiserver v1.25.4
- kube-apiserver v1.24.8
- kube-apiserver v1.23.13
- kube-apiserver v1.22.16
This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit
**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
### CVE-2022-3294: Node address isn't always verified when proxying
A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.