Vulnerabilities > CVE-2023-48713 - Unspecified vulnerability in Knative Serving
Attack vector
NETWORK Attack complexity
HIGH Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0.
Vulnerable Configurations
References
- https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca
- https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca
- https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1
- https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1
- https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a
- https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a
- https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547
- https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547