{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48713", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.555Z", "datePublished": "2023-11-28T03:44:59.538Z", "dateUpdated": "2024-10-11T17:58:05.682Z"}, "containers": {"cna": {"title": "Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}, {"name": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"name": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"name": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}], "affected": [{"vendor": "knative", "product": "serving", "versions": [{"version": "< 0.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-28T03:44:59.538Z"}, "descriptions": [{"lang": "en", "value": "Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0."}], "source": {"advisory": "GHSA-qmvj-4qr9-v547", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.657Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}, {"name": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"name": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"name": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T17:51:35.195449Z", "id": "CVE-2023-48713", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T17:58:05.682Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48713", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.555Z", "datePublished": "2023-11-28T03:44:59.538Z", "dateUpdated": "2024-10-11T17:58:05.682Z"}, "containers": {"cna": {"title": "Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}, {"name": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"name": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"name": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a", "tags": ["x_refsource_MISC"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}], "affected": [{"vendor": "knative", "product": "serving", "versions": [{"version": "< 0.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-28T03:44:59.538Z"}, "descriptions": [{"lang": "en", "value": "Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0."}], "source": {"advisory": "GHSA-qmvj-4qr9-v547", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.657Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}, {"name": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"name": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"name": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-48713", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-11T17:51:35.195449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T17:52:42.765Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:knative:serving:*:*:*:*:*:*:*:*", "matchCriteriaId": "F83BBBFD-C622-41D7-BE6A-D7BA52B6B2D2", "versionEndExcluding": "1.10.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:knative:serving:*:*:*:*:*:*:*:*", "matchCriteriaId": "3672D2F9-C70C-4FC1-8992-B8EB42F755BB", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0."}, {"lang": "es", "value": "Knative Serving se basa en Kubernetes para admitir la implementaci\u00f3n y el servicio de aplicaciones y funciones como contenedores sin servidor. Un atacante que controla un pod hasta un punto en el que pueda controlar las respuestas desde el endpoint /metrics puede provocar una Denegaci\u00f3n de Servicio del escalador autom\u00e1tico debido a un error de asignaci\u00f3n de memoria independiente. Esta es una vulnerabilidad DoS, donde un usuario de Knative sin privilegios puede provocar un DoS para el cl\u00faster. Este problema se solucion\u00f3 en la versi\u00f3n 0.39.0."}], "id": "CVE-2023-48713", "lastModified": "2024-11-21T08:32:18.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-28T04:15:07.820", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}