CVE-2022-3162 MEDIUM

CVE-2022-3162: Unauthorized read of Custom Resources

Vendor Kubernetes

Product Kubernetes

Weakness CWE-23

Published March 1, 2023

Last update March 7, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

Key dates

02Disclosure timeline

March 1, 2023 CVE published

March 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-3162

Related vulnerabilities

Identifiers

CVE CVE-2022-3162

CWE CWE-23

CVSS 6.5 / MEDIUM

Affected versions

Vendor Kubernetes

Product Kubernetes

Affected ≥ unspecified and ≤ v1.25.3

Vendor Kubernetes

Product Kubernetes

Affected ≥ unspecified and ≤ v1.24.7

Vendor Kubernetes

Product Kubernetes

Affected ≥ unspecified and ≤ v1.23.13

Vendor Kubernetes

Product Kubernetes

Affected ≥ unspecified and ≤ v1.22.15

CVE-2022-3162: Unauthorized read of Custom Resources

01Description

02Disclosure timeline

03References

04Related CVE