{ "schema_version": "1.4.0", "id": "GHSA-864f-7xjm-2jp2", "modified": "2025-05-05T21:57:30Z", "published": "2025-04-25T06:30:56Z", "aliases": [ "CVE-2025-46599" ], "summary": "CNCF K3s Kubernetes kubelet configuration exposes credentials", "details": "CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/k3s-io/k3s" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.32.0-rc1" }, { "fixed": "1.32.4-rc1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46599" }, { "type": "WEB", "url": "https://github.com/f1veT/BUG/issues/2" }, { "type": "WEB", "url": "https://github.com/k3s-io/k3s/issues/12164" }, { "type": "WEB", "url": "https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a" }, { "type": "WEB", "url": "https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port" }, { "type": "PACKAGE", "url": "https://github.com/k3s-io/k3s" }, { "type": "WEB", "url": "https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3646" } ], "database_specific": { "cwe_ids": [ "CWE-1188" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-25T15:07:32Z", "nvd_published_at": "2025-04-25T05:15:33Z" } }