Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-2394-5535-8j88

GitHub Security Advisory

Kubernetes vulnerable to path traversal

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

Affected Packages

Go github.com/kubernetes/kubernetes
Affected versions: 1.25.0 (fixed in 1.25.4)
Go github.com/kubernetes/kubernetes
Affected versions: 1.24.0 (fixed in 1.24.8)
Go github.com/kubernetes/kubernetes
Affected versions: 1.23.0 (fixed in 1.23.14)
Go github.com/kubernetes/kubernetes
Affected versions: 1.22.0 (fixed in 1.22.16)

Related CVEs

CVE-2022-3162

Key Information

GHSA ID
GHSA-2394-5535-8j88
Published
March 1, 2023 9:30 PM
Last Modified
March 10, 2023 10:38 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/kubernetes/kubernetes
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.