A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| k8s.io/kubernetes(Go) | 0 | 1.31.12 | N/A |
| k8s.io/kubernetes(Go) | 1.32.0-alpha.0 | 1.32.8 | N/A |
| k8s.io/kubernetes(Go) | 1.33.0-alpha.0 | 1.33.4 | N/A |
CVSS Metrics
