CVE-2025-48710 · CVEKit

cve.orgen

354 chars

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

NVDen

354 chars

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

OSV.deven

59 chars

kro Confused Deputy vulnerability in github.com/kro-run/kro

GHSAen

354 chars

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

NVDes

433 chars

kro (Kube Resource Orchestrator) 0.1.0 anterior a 0.2.1 permite a los usuarios (con permiso para crear o modificar recursos ResourceGraphDefinition) proporcionar imágenes de contenedor arbitrarias. Esto puede generar un escenario de subordinación confusa donde los controladores de kro implementan y ejecutan imágenes controladas por atacantes, lo que resulta en la ejecución remota de código no autenticado en los nodos del clúster.

CVSS metrics across sources

3

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	4.1	—	—	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
3.1	Secondary	NVD	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N