CVE-2023-32187

Name
CVE-2023-32187
Description
An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://
MISC https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:* k3s >= 1.28.0 < 1.28.1\+k3s1
cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:* k3s >= 1.27.0 < 1.27.5\+k3s1
cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:* k3s >= 1.26.0 < 1.26.8\+k3s1
cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:* k3s >= 1.25.0 < 1.25.13\+k3s1
cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:* k3s >= 1.24.0 < 1.24.17\+k3s1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
k3s edge-community 1.27.5.1-r0 Oleg Titov <oleg.titov@gmail.com> fixed
k3s edge-community 1.27.3.1-r0 Oleg Titov <oleg.titov@gmail.com> possibly vulnerable
k3s 3.22-community 1.27.5.1-r0 None fixed
k3s 3.22-community 1.27.3.1-r0 None possibly vulnerable
k3s 3.21-community 1.27.5.1-r0 None fixed
k3s 3.20-community 1.27.5.1-r0 None fixed
k3s 3.19-community 1.27.5.1-r0 None fixed
k3s 3.18-community 1.27.5.1-r2 Oleg Titov <oleg.titov@gmail.com> fixed
k3s 3.18-community 1.27.5.1-r1 Oleg Titov <oleg.titov@gmail.com> fixed
k3s 3.18-community 1.27.5.1-r0 Oleg Titov <oleg.titov@gmail.com> fixed