Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LKubernetes
APPKuberneteswszystkie wersjeOracle Communications Cloud Native Core Network Slice Selection Function
APPOracle1.2.1Oracle Communications Cloud Native Core Policy
APPOracle1.15.0Oracle Communications Cloud Native Core Service Communication Proxy
APPOracle1.14.0
Related vulnerabilities
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...
Nieprawidłowa autoryzacja w Esri Portal for ArcGIS — obejście uprawnień
SQL Injection w Esri ArcGIS Server — zdalny dostęp bez uwierzytelnienia