Home
» GitHub Advisories
» GHSA-864f-7xjm-2jp2
Description
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
Basic information
Type
reviewed
Severity
medium Advisory on GitHub
Open advisory ↗ Repository advisory
—
Source code
Browse source ↗ Published (advisory)
2025-04-25 06:30:56 UTC
Updated
2025-05-05 21:57:33 UTC
GitHub reviewed
2025-04-25 15:07:32 UTC
NVD published
2025-04-25
EPSS Score
Score
Percentile
0.35%
57.52%
CVSS Scores
Base score
Version
Severity
Vector
6.8
3.1
—
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
CWEs
CWE id
Name
CWE-1188
Initialization of a Resource with an Insecure Default
Affected packages (1)
Vulnerable version ranges and first patched releases as published by GitHub.
Ecosystem
Package
Vulnerable range
First patched
Vulnerable functions
go
github.com/k3s-io/k3s >= 1.32.0-rc1, < 1.32.4-rc1
1.32.4-rc1
—
cvelogic
Threat Intelligence