CVE-2022-3162: 
Podman vulnerability analysis and mitigation

CVE-2022-3162 is a security vulnerability in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. The vulnerability was discovered and reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit. The affected versions include Kubernetes kube-apiserver versions <= v1.25.3, v1.24.7, v1.23.13, and v1.22.15 (Kubernetes Issue, Security Announce).

The vulnerability has been rated Medium with a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Clusters are impacted by this vulnerability when three conditions are met: 1) There are 2+ CustomResourceDefinitions sharing the same API group, 2) Users have cluster-wide list or watch authorization on one of those custom resources, and 3) The same users are not authorized to read another custom resource in the same API group (Kubernetes Issue).

When successfully exploited, this vulnerability could lead to unauthorized disclosure of sensitive information. Specifically, users with permissions to list or watch one type of namespaced custom resource cluster-wide can gain unauthorized access to read custom resources of a different type in the same API group (NetApp Advisory).

The vulnerability can be mitigated by upgrading the kube-apiserver to fixed versions: v1.25.4, v1.24.8, v1.23.14, or v1.22.16. Prior to upgrading, the vulnerability can be temporarily mitigated by avoiding granting cluster-wide list and watch permissions (Security Announce).