CVE-2023-22480 HIGH

CVE-2023-22480: KubeOperator is vulnerable to unauthorized access to system API

Vendor Kubeoperator

Product KubeOperator

Weakness CWE-285

Published January 14, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.

Key dates

02Disclosure timeline

January 14, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22480

Related vulnerabilities

04Related CVE

CVE-2025-4672 Offsprout Page Builder 2.2.1 - 2.15.2 - Authenticated (Contributor+) Privilege Escalation via permission_callback Function CVE-2022-3748 Improper authorization that can lead to account impersonation CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions CVE-2017-16773 CVE-2025-6099 szluyu99 gin-vue-blog PATCH Request manager.go improper authorization