Base Score

MEDIUM6.8

CVE-2025-46599

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.

VectorNETWORK

Published Bycve@mitre.org

Published DateApr 25, 2025, 05:15

Affected Versions(1)

github.com/k3s-io/k3s(Go)

Introduced1.32.0-rc1

Fixed1.32.4-rc1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/k3s-io/k3s(Go)	1.32.0-rc1	1.32.4-rc1	N/A

Weakness Type (CWE):CWE-1188

CVSS Metrics

Base Score

6.8

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

MEDIUM6.8

Weakness Type (CWE):CWE-1188

CVSS Metrics

Base Score

6.8

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE