x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-2394-5535-8j88

[GoVulnBot]

In GitHub Security Advisory GHSA-2394-5535-8j88, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/kubernetes/kubernetes	1.22.16	>= 1.22.0, < 1.22.16

Cross references:

• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-579h-mv94-g4gp #792 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-mqf3-28j7-3mj6 #857 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/apiserver: GHSA-xx8c-m748-xr4j #893 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.22.0
        fixed: 1.22.16
    packages:
      - package: github.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.23.0
        fixed: 1.23.14
    packages:
      - package: github.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: 1.24.0
        fixed: 1.24.8
    packages:
      - package: github.com/kubernetes/kubernetes
  - module: github.com/kubernetes/kubernetes
    versions:
      - introduced: TODO (earliest fixed "1.25.4", vuln range ">= 1.25.0, < 1.25.3")
    packages:
      - package: github.com/kubernetes/kubernetes
description: 'Users authorized to list or watch one type of namespaced custom resource
    cluster-wide can read custom resources of a different type in the same API group
    without authorization. Clusters are impacted by this vulnerability if all of the
    following are true: 1. There are 2+ CustomResourceDefinitions sharing the same
    API group 2. Users have cluster-wide list or watch authorization on one of those
    custom resources. 3. The same users are not authorized to read another custom
    resource in the same API group.'
cves:
  - CVE-2022-3162
ghsas:
  - GHSA-2394-5535-8j88
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2022-3162
  - report: https://github.com/kubernetes/kubernetes/issues/113756
  - web: https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
  - advisory: https://github.com/advisories/GHSA-2394-5535-8j88

[gopherbot]

Change https://go.dev/cl/475915 mentions this issue: data/excluded: batch add GO-2023-1629, GO-2023-1628, GO-2023-1627, GO-2023-1622

[gopherbot]

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)