CVE-2022-3294 in kube-apiserver
Summary
by MITRE • 03/01/2023
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them.
Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2025
The vulnerability described in CVE-2022-3294 represents a critical security flaw in Kubernetes cluster control plane networks that enables unauthorized access to protected endpoints through a validation bypass mechanism. This issue specifically targets the kube-apiserver component's node proxying functionality, which serves as a bridge between cluster clients and individual node services. The vulnerability arises from insufficient input validation that allows malicious actors to circumvent the established security controls designed to protect the cluster's internal network infrastructure.
The technical flaw manifests in the kube-apiserver's validation logic for node proxy requests, where an attacker with the ability to modify Node objects can craft malicious proxy requests that bypass the intended security boundaries. This validation bypass occurs because the system fails to properly enforce address validation checks when processing proxy requests destined for Kubelet endpoints. The vulnerability specifically impacts clusters where untrusted users possess the capability to modify Node objects, creating a path for authenticated requests to traverse the API server's private network without proper authorization. This represents a direct violation of the principle of least privilege and network segmentation that Kubernetes relies upon for cluster security.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially escalate privileges and gain deeper insights into the cluster's internal operations. An attacker who successfully exploits this vulnerability could access secure endpoints within the control plane network, potentially compromising sensitive cluster data, retrieving container logs, establishing connections to pods, and accessing other node-level services that should remain isolated from untrusted users. The implications are particularly severe in multi-tenant environments where the compromise of one user's access could lead to broader cluster infiltration. This vulnerability directly relates to CWE-284 (Improper Access Control) and can be mapped to ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) when considering how attackers might gain initial access to modify Node objects before exploiting this validation bypass.
Mitigation strategies for CVE-2022-3294 require immediate attention to restrict Node object modifications and implement additional validation layers. Organizations should enforce strict RBAC policies that limit which users or roles can modify Node objects, ensuring that only trusted administrators have this capability. The recommended approach includes implementing network segmentation controls that prevent unauthorized access to the control plane network, along with enhanced monitoring of Node object modifications and proxy request patterns. Kubernetes administrators should also consider upgrading to versions that have patched this validation bypass, as the vulnerability stems from specific implementation flaws in the kube-apiserver's proxy validation logic. Additional defensive measures include implementing webhook admission controllers to validate proxy requests and establishing comprehensive audit logging to detect suspicious activities related to node proxying operations, thereby providing visibility into potential exploitation attempts and supporting incident response efforts.