GO-2024-2748

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2748

Import Source

https://vuln.go.dev/ID/GO-2024-2748.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2748

Aliases

Published

2024-05-20T19:46:32Z

Modified

2024-10-22T05:28:52.848968Z

Summary

Privilege Escalation in Kubernetes in k8s.io/apimachinery

Details

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2024-2748",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / k8s.io/apimachinery

Package

Name: k8s.io/apimachinery; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/apimachinery

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.16.13

Introduced

0.17.0

Fixed

0.17.9

Introduced

0.18.0

Fixed

0.18.7-rc.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "ConnectWithRedirects"
            ],
            "path": "k8s.io/apimachinery/pkg/util/net"
        },
        {
            "symbols": [
                "UpgradeAwareHandler.ServeHTTP",
                "UpgradeAwareHandler.tryUpgrade"
            ],
            "path": "k8s.io/apimachinery/pkg/util/proxy"
        }
    ]
}

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.13

Introduced

1.17.0

Fixed

1.17.9

Introduced

1.18.0

Fixed

1.18.7