x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jh36-q97c-9928

[GoVulnBot]

In GitHub Security Advisory GHSA-jh36-q97c-9928, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/kubernetes/kubernetes	1.222.16	>= 1.22.0, < 1.22.16

Cross references:

• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-579h-mv94-g4gp #792 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-mqf3-28j7-3mj6 #857 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/apiserver: GHSA-xx8c-m748-xr4j #893 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: TODO (earliest fixed "1.222.16", vuln range ">= 1.22.0, < 1.22.16")
    packages:
      - package: github.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.23.0
        fixed: 1.23.14
    packages:
      - package: kubernetesgithub.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.24.0
        fixed: 1.24.8
    packages:
      - package: kubernetesgithub.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.25.0
        fixed: 1.25.4
    packages:
      - package: github.com/kubernetes/kubernetes
description: Users may have access to secure endpoints in the control plane network.
    Kubernetes clusters are only affected if an untrusted user can modify Node objects
    and send proxy requests to them. Kubernetes supports node proxying, which allows
    clients of kube-apiserver to access endpoints of a Kubelet to establish connections
    to Pods, retrieve container logs, and more. While Kubernetes already validates
    the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass
    this validation. Bypassing this validation could allow authenticated requests
    destined for Nodes to to the API server's private network.
cves:
  - CVE-2022-3294
ghsas:
  - GHSA-jh36-q97c-9928
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2022-3294
  - report: https://github.com/kubernetes/kubernetes/issues/113757
  - web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
  - advisory: https://github.com/advisories/GHSA-jh36-q97c-9928

[gopherbot]

Change https://go.dev/cl/475915 mentions this issue: data/excluded: batch add GO-2023-1629, GO-2023-1628, GO-2023-1627, GO-2023-1622

[gopherbot]

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)