How severe is CVE-2025-48710?

CVE-2025-48710 has a CVSS v3 score of 4.1 (MEDIUM).

CVE-2025-48710

4.1MEDIUM

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confus

发布于: 6/4/2025更新于: 6/4/2025

描述

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

AI分析AI驱动

参考资料

https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2
https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/