CVE-2022-3162

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-3162
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-03-01 19:15:00 UTC
Updated2023-05-11 15:15:00 UTC
DescriptionUsers authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

Risk And Classification

Problem Types: CWE-22

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Kubernetes Kubernetes All All All All
Application Kubernetes Kubernetes All All All All
Application Kubernetes Kubernetes All All All All
Application Kubernetes Kubernetes All All All All

References

ReferenceSourceLinkTags
CVE-2022-3162 Kubernetes Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[Security Advisory] CVE-2022-3162: Unauthorized read of Custom Resources MLIST groups.google.com
CVE-2022-3162: Unauthorized read of Custom Resources · Issue #113756 · kubernetes/kubernetes · GitHub CONFIRM github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Richard Turnbull of NCC Group

Legacy QID Mappings

  • 160338 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10034)
  • 160339 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10035)
  • 160340 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10033)
  • 160341 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10036)
  • 181205 Debian Security Update for kubernetes (CVE-2022-3162)
  • 241070 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
  • 241196 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0772)
  • 283329 Fedora Security Update for kubernetes (FEDORA-2022-2004702d98)
  • 283408 Fedora Security Update for kubernetes (FEDORA-2022-8647729ff8)
  • 377844 Kubernetes Unauthorized Read of Custom Resources Vulnerability
  • 754042 SUSE Enterprise Linux Security Update for kubernetes1.23 (SUSE-SU-2023:2292-1)
  • 770172 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
  • 770177 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0772)
  • 905698 Common Base Linux Mariner (CBL-Mariner) Security Update for kube-vip-cloud-provider (13782)
  • 905699 Common Base Linux Mariner (CBL-Mariner) Security Update for keda (13781)
  • 905700 Common Base Linux Mariner (CBL-Mariner) Security Update for rook (13783)
  • 905702 Common Base Linux Mariner (CBL-Mariner) Security Update for cert-manager (13780)
  • 906939 Common Base Linux Mariner (CBL-Mariner) Security Update for cert-manager (13780-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report