CVE-2022-3294

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-3294
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-03-01 19:15:00 UTC
Updated2023-05-05 20:15:00 UTC
DescriptionUsers may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Kubernetes Kubernetes All All All All

References

ReferenceSourceLinkTags
[Security Advisory] CVE-2022-3294: Node address isn't always verified when proxying MLIST groups.google.com
CVE-2022-3294: Node address isn't always verified when proxying · Issue #113757 · kubernetes/kubernetes · GitHub CONFIRM github.com
CVE-2022-3294 Kubernetes Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Yuval Avrahami of Palo Alto Networks

Legacy QID Mappings

  • 160338 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10034)
  • 160339 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10035)
  • 160340 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10033)
  • 160341 Oracle Enterprise Linux Security Update for kubernetes (ELSA-2022-10036)
  • 181206 Debian Security Update for kubernetes (CVE-2022-3294)
  • 283329 Fedora Security Update for kubernetes (FEDORA-2022-2004702d98)
  • 283408 Fedora Security Update for kubernetes (FEDORA-2022-8647729ff8)
  • 377841 Kubernetes Node Address Proxying Vulnerability
  • 754042 SUSE Enterprise Linux Security Update for kubernetes1.23 (SUSE-SU-2023:2292-1)
  • 905711 Common Base Linux Mariner (CBL-Mariner) Security Update for k3s (13819)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report