CVE-2022-31076

MEDIUM

KubeEdge < 1.9.3, 1.10.0-1.10.1 - Denial of Service via UDS Server Nil-Pointer Dereference

Title source: llm

Description

KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. Since the UDS Server only communicates with the CSI Driver on the cloud side, the attack is limited to the local host network. As such, an attacker would already need to be an authenticated user of the Cloud. Additionally it will be affected only when users turn on the unixsocket switch in the config file cloudcore.yaml. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. Users unable to upgrade should sisable the unixsocket switch of CloudHub in the config file cloudcore.yaml.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/kubeedge/kubeedge/security/advisories/GHSA-8f4f-v9x5-cg6j

Patch, Third Party Advisory x_refsource_misc

https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701

Scores

CVSS v3 4.2

EPSS 0.0011

EPSS Percentile 29.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (3)

kubeedge/kubeedge 1.10.0 - 1.10.1Go

linuxfoundation/kubeedge 1.10.0 (2 CPE variants)

linuxfoundation/kubeedge < 1.9.3

Published Jun 27, 2022

Tracked Since Feb 18, 2026