Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
Analysis
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
Technical ContextAI
Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication.
RemediationAI
Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16843
GHSA-7633-x85h-5mqh