CVE-2023-32187

2023-09-1812:04:27

CWE-770

suse

github.com

vulnerability

suse k3s

denial of service

cve-2023-32187

access

tcp 6443

k3s servers

apis

supervisor port

version

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers’ apiserver/supervisor port (TCP 6443) cause denial of service.
This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*"
    ],
    "vendor": "k3s",
    "product": "k3s",
    "versions": [
      {
        "status": "affected",
        "version": "1.24.0",
        "lessThan": "1.24.17+k3s1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.25.0",
        "lessThan": "1.25.13+k3s1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.26.0",
        "lessThan": "1.26.8+k3s1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.28.0",
        "lessThan": "1.28.1+k3s1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.27.0",
        "lessThan": "1.27.5+k3s1",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]