CVE-2023-22480
KubeOperator allows unauthorized access to system API
Description
### Summary Unauthorized access refers to the ability to bypass the system's preset permission settings to access some API interfaces. The attack exploits a flaw in how online applications handle routing permissions. ### Affected Version <= v3.16.3 ### Patches The vulnerability has been fixed in v3.16.3. https://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aaf ### Workarounds It is recommended to upgrade the version to v3.16.4. ### For more information If you have any questions or comments about this advisory, please open an issue. ### References https://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4
How to fix CVE-2023-22480
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2023-22480 being exploited?
Likely — EPSS is 75.6%, placing CVE-2023-22480 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, <= 3.16.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |