CVE-2022-3294

MEDIUM

kubernetes <1.22.16 and 1.25.0-1.25.4 - Authenticated Server-Side Request Forgery via Node Proxy Validation Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-3294. PoCs published by arbaaz29.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-3294, which allows an attacker with a service account token to escalate privileges by manipulating node status and accessing sensitive resources via the Kubernetes API server. The exploit involves patching node status to redirect traffic and then accessing secrets, pods, and services through the proxy endpoint.

Description

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

Exploits (1)

nomisec WORKING POC

by arbaaz29 · poc

https://github.com/arbaaz29/CVE-2022-3294

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-3294, which allows an attacker with a service account token to escalate privileges by manipulating node status and accessing sensitive resources via the Kubernetes API server. The exploit involves patching node status to redirect traffic and then accessing secrets, pods, and services through the proxy endpoint.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes (versions affected by CVE-2022-3294)

Auth required

Prerequisites: Service account token with permissions to update node status · Access to the Kubernetes API server · Knowledge of node and API server IPs

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory

https://github.com/kubernetes/kubernetes/issues/113757

Mailing List, Third Party Advisory

https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230505-0007/

Scores

CVSS v3 6.6

EPSS 0.0077

EPSS Percentile 74.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (2)

kubernetes/kubernetes < 1.22.16

kubernetes/kubernetes 1.25.0 - 1.25.4Go

Published Mar 01, 2023

Tracked Since Feb 18, 2026