8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3294

GHSA ID

GHSA-jh36-q97c-9928

EPSS Score

0.63648%

CWE

CWE-20

Published

3/1/2023

Updated

5/5/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3294

CVE-2022-3294: Kubernetes vulnerable to validation bypass

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3294

GHSA ID

GHSA-jh36-q97c-9928

EPSS Score

0.63648%

CWE

CWE-20

Published

3/1/2023

Updated

5/5/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/kubernetes/kubernetes	go	>= 1.25.0, < 1.25.4	1.25.4
github.com/kubernetes/kubernetes	go	>= 1.22.0, < 1.22.16	1.22.16
github.com/kubernetes/kubernetes	go	>= 1.24.0, < 1.24.8	1.24.8
github.com/kubernetes/kubernetes	go	>= 1.23.0, < 1.23.14	1.23.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation in node proxying logic. The ProxyREST.Connect function is responsible for handling node proxy requests and validating target addresses. The vulnerability allowed bypassing network restrictions by accepting unvalidated address types (like InternalIP instead of ExternalIP) or localhost addresses. This matches the CWE-20 (Improper Input Validation) classification and aligns with the described attack vector where modified Node objects could route requests to API server's private network.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us*rs m*y **v* ****ss to s**ur* *n*points in t** *ontrol pl*n* n*twork. Ku**rn*t*s *lust*rs *r* only *****t** i* *n untrust** us*r **n mo*i*y No** o*j**ts *n* s*n* proxy r*qu*sts to t**m. Ku**rn*t*s supports no** proxyin*, w*i** *llows *li*nts o* ku*

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` in no** proxyin* lo*i*. T** `ProxyR*ST.*onn**t` *un*tion is r*sponsi*l* *or **n*lin* no** proxy r*qu*sts *n* v*li**tin* t*r**t ***r*ss*s. T** vuln*r**ility *llow** *yp*ssin* n*twork r*stri*tions *y *

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-3294: Kubernetes vulnerable to validation bypass

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI