How severe is CVE-2025-48710?

CVE-2025-48710 has a CVSS v3 score of 4.1 (MEDIUM).

CVE-2025-48710

4.1MEDIUM

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confus

Veröffentlicht: 6/4/2025Aktualisiert: 6/4/2025

Beschreibung

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

KI-AnalyseKI-gestützt

Referenzen

https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2
https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/