GHSA-q4rr-64r9-fwgf

Source

https://github.com/advisories/GHSA-q4rr-64r9-fwgf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4rr-64r9-fwgf/GHSA-q4rr-64r9-fwgf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4rr-64r9-fwgf

Aliases

Related

CGA-w892-3j99-vg54

Published

2022-05-13T01:21:42Z

Modified

2024-08-20T20:58:47.910732Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Kubernetes DoS Vulnerability

Details

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

References

Affected packages

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.0

Last affected

1.10

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.11.0

Fixed

1.11.8

Database specific

{
    "last_known_affected_version_range": "<= 1.11.7"
}

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.12.0

Fixed

1.12.6

Database specific

{
    "last_known_affected_version_range": "<= 1.12.5"
}

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.4

Database specific

{
    "last_known_affected_version_range": "<= 1.13.3"
}