← back
CVE-2023-48713

Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler

CVSS 6.5 MEDIUMEPSS 0.9%CWE-400
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.9%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Nov 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
knative · serving

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →