You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.
There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.
What did you expect to happen?
NA
How can we reproduce it (as minimally and precisely as possible)?
NA
Anything else we need to know?
Affected Versions:
kube-apiserver v1.25.0
kube-apiserver v1.24.0 - v1.24.4
kube-apiserver v1.23.0 - v1.23.10
kube-apiserver v1.22.0 - v1.22.14
kube-apiserver <= v1.21.?
Fixed Versions:
kube-apiserver v1.25.1
kube-apiserver v1.24.5
kube-apiserver v1.23.11
kube-apiserver v1.22.14
This vulnerability was reported by Nicolas Joly & Weinong Wang from Microsoft
Hi @pacoxu,
Thanks for opening an issue!
We will look into it as soon as possible.
Details
Instructions for interacting with me using comments are available here.
If you have questions or suggestions related to my behavior, please file an issue against the [gh-ci-bot](https://github.com/wzshiming/gh-ci-bot) repository.
What happened?
A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.
There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.
What did you expect to happen?
NA
How can we reproduce it (as minimally and precisely as possible)?
NA
Anything else we need to know?
Affected Versions:
Fixed Versions:
This vulnerability was reported by Nicolas Joly & Weinong Wang from Microsoft
CVSS Rating: Medium (5.1) CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
The text was updated successfully, but these errors were encountered: