Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Nov 2022 09:25:36 -0800
From: Tim Allclair <>
Subject: [kubernetes] CVE-2022-3162: Unauthorized read of Custom Resources

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where users authorized to
list or watch one type of namespaced custom resource cluster-wide can read
custom resources of a different type in the same API group without

This issue has been rated Medium (
and assigned CVE-2022-3162
Am I vulnerable?

Clusters are impacted by this vulnerability if all of the following are


   There are 2+ CustomResourceDefinitions sharing the same API group

   Users have cluster-wide list or watch authorization on one of those
   custom resources.

   The same users are not authorized to read another custom resource in the
   same API group.

Affected Versions


   Kubernetes kube-apiserver <= v1.25.3

   Kubernetes kube-apiserver <= v1.24.7

   Kubernetes kube-apiserver <= v1.23.13

   Kubernetes kube-apiserver <= v1.22.15

How do I mitigate this vulnerability?

Upgrading the kube-apiserver to a fixed version mitigates this

Prior to upgrading, this vulnerability can be mitigated by avoiding
granting cluster-wide list and watch permissions.
Fixed Versions


   Kubernetes kube-apiserver v1.25.4

   Kubernetes kube-apiserver v1.24.8

   Kubernetes kube-apiserver v1.23.14

   Kubernetes kube-apiserver v1.22.16

These releases will be published over the course of today, November 10th.

Requests containing `..` in the request path are a likely indicator of
exploitation. Request paths may be captured in API audit logs, or in
kube-apiserver HTTP logs.

If you find evidence that this vulnerability has been exploited, please
Additional Details

See the GitHub issue for more details:

This vulnerability was reported by Richard Turnbull of NCC Group as part of
the Kubernetes Audit.

Thank You,

Tim Allclair on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.