-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGoMiggo AIRoot Cause AnalysisThe vulnerability arises from the Kubelet's ReadOnlyPort being unintentionally active (e.g., on port 10255) due to how KubeletConfiguration handles a ReadOnlyPort value of 0. The commit 097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a addresses this.
The function pkg/daemons/agent/agent.go:defaultKubeletConfig was involved in setting the Kubelet configuration. The patch removed the line ReadOnlyPort: 0, from this function. The comments added in pkg/daemons/agent/agent_linux.go and pkg/daemons/agent/agent_windows.go within the kubeletArgsAndConfig function explain why: // note: KubeletConfiguration will omit this field when marshalling if it is set to 0, so we set it via CLI. This implies that the previous method of setting ReadOnlyPort to 0 within the configuration struct in defaultKubeletConfig was not reliably disabling the port, as the Kubelet would ignore this setting if it was 0, potentially falling back to a default where the port is open. Thus, defaultKubeletConfig is identified as the function containing the vulnerable logic, as its attempt to disable the port was ineffective, leading to the exposure.
The functions kubeletArgsAndConfig in agent_linux.go and agent_windows.go were modified to mitigate the vulnerability by explicitly setting "read-only-port": "0" as a command-line argument, which is a more reliable way to disable the port. These are not the vulnerable functions themselves but part of the fix.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/k3s-io/k3s | go | >= 1.32.0-rc1, < 1.32.4-rc1 | 1.32.4-rc1 |
KEV Misses 88% of Exploited CVEs- Get the report