CVE-2023-1174 - OpenCVE

This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Macos
Kubernetes	Minikube

Configuration 1 [-]

AND

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

OR	cpe:2.3:a:kubernetes:minikube:1.26.0:::::::*
	cpe:2.3:a:kubernetes:minikube:1.26.1:::::::*
	cpe:2.3:a:kubernetes:minikube:1.27.0:::::::*
	cpe:2.3:a:kubernetes:minikube:1.27.1:::::::*
	cpe:2.3:a:kubernetes:minikube:1.28.0:::::::*

No data.

References

Link	Providers
https://groups.google.com/g/kubernetes-security-announce/c/2ZkJFMDTKbM

History

No history.

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2023-05-24T00:00:00

Updated: 2024-08-02T05:40:58.263Z

Reserved: 2023-03-03T00:00:00

Link: CVE-2023-1174

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-24T17:15:09.733

Modified: 2023-05-31T19:09:11.500

Link: CVE-2023-1174

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-1174", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "dateUpdated": "2024-08-02T05:40:58.263Z", "dateReserved": "2023-03-03T00:00:00", "datePublished": "2023-05-24T00:00:00"}, "containers": {"cna": {"title": "[minikube] Network Port exposure in minikube running on macOS using Docker driver", "datePublic": "2023-04-12T00:00:00", "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-05-24T00:00:00"}, "descriptions": [{"lang": "en", "value": "This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container."}], "affected": [{"vendor": "Kubernetes", "product": "minikube", "versions": [{"version": "1.26.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "1.28.0", "status": "affected", "versionType": "custom"}], "platforms": ["macOS"]}], "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/2ZkJFMDTKbM"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-266 Incorrect Privilege Assignment", "cweId": "CWE-266"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "EXTERNAL"}, "workarounds": [{"lang": "en", "value": "To continue using an existing cluster, change the default port mappings of the minikube container and restart the docker daemon -\n\ndocker run -v /var/lib/docker:/var/lib/docker -e MINIKUBE_CONTAINER_ID=\"$(docker ps --no-trunc -aqf 'name=^minikube$')\" -it --entrypoint /bin/sh alpine\nsed -i 's/0.0.0.0/127.0.0.1/g' /var/lib/docker/containers/$MINIKUBE_CONTAINER_ID/config.v2.json"}], "solutions": [{"lang": "en", "value": "To mitigate these vulnerabilities, upgrade minikube to the latest version and delete any clusters created using an affected version. To delete clusters created using prior versions, run `minikube delete --all`\n"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:40:58.263Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/2ZkJFMDTKbM", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:minikube:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "C947A326-8671-4B10-B586-32C14E42F0D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:minikube:1.26.1:*:*:*:*:*:*:*", "matchCriteriaId": "E3E8A841-DF87-4018-8274-2475C9C969AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:minikube:1.27.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D24AF30-3E95-4230-86CC-D993CBF9AE81", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:minikube:1.27.1:*:*:*:*:*:*:*", "matchCriteriaId": "D7952A75-CB33-4E52-8995-21EAA0DB80F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:minikube:1.28.0:*:*:*:*:*:*:*", "matchCriteriaId": "62E2C3FA-7F5A-40B6-AE7C-7B3207A0D781", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container."}], "id": "CVE-2023-1174", "lastModified": "2023-05-31T19:09:11.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2023-05-24T17:15:09.733", "references": [{"source": "jordan@liggitt.net", "tags": ["Mailing List"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/2ZkJFMDTKbM"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-266"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}