A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02423-2 advisory.

    - CVE-2021-25743: Escape terminal special characters in kubectl output (bsc#1194400).
    - CVE-2023-2431: Prevent pods to bypass the seccomp profile enforcement (bsc#1212493).
    - CVE-2024-0793: Advance autoscaling v2 as the preferred API version (bsc#1219964).
    - CVE-2024-3177: Prevent bypassing mountable secrets policy imposed by the ServiceAccount admission plugin     (bsc#1222539).
    - CVE-2025-22872: Properly handle trailing solidus in unquoted attribute value in foreign content     (bsc#1241865).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3343-1 advisory.

    - CVE-2021-25743: escape, meta and control sequences in raw data output to terminal not neutralized.
    (bsc#1194400)
    - CVE-2023-2727: bypass of policies imposed by the ImagePolicyWebhook admission plugin. (bsc#1211630)
    - CVE-2023-2728: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin.
    (bsc#1211631)
    - CVE-2023-39325: go1.20: excessive resource consumption when dealing with rapid stream resets.
    (bsc#1229869)
    - CVE-2023-44487: google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. (bsc#1229869)
    - CVE-2023-45288: golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers.
    (bsc#1229869)
    - CVE-2024-0793: kube-controller-manager pod crash when processing malformed HPA v1 manifests.
    (bsc#1219964)
    - CVE-2024-3177: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin.
    (bsc#1222539)
    - CVE-2024-24786: github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. (bsc#1229867)

    Bug fixes:

    - Use -trimpath in non-DBG mode for reproducible builds. (bsc#1062303)
    - Fix multiple issues for successful `kubeadm init` run. (bsc#1214406)
    - Update go to version 1.22.5 in build requirements. (bsc#1229858)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3341-1 advisory.

    - CVE-2021-25743: escape, meta and control sequences in raw data output to terminal not neutralized.
    (bsc#1194400)
    - CVE-2023-2727: bypass of policies imposed by the ImagePolicyWebhook admission plugin. (bsc#1211630)
    - CVE-2023-2728: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin.
    (bsc#1211631)
    - CVE-2023-39325: go1.20: excessive resource consumption when dealing with rapid stream resets.
    (bsc#1229869)
    - CVE-2023-44487: google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. (bsc#1229869)
    - CVE-2023-45288: golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers.
    (bsc#1229869)
    - CVE-2024-0793: kube-controller-manager pod crash when processing malformed HPA v1 manifests.
    (bsc#1219964)
    - CVE-2024-3177: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin.
    (bsc#1222539)
    - CVE-2024-24786: github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. (bsc#1229867)

    Bug fixes:

    - Use -trimpath in non-DBG mode for reproducible builds. (bsc#1062303)
    - Fix multiple issues for successful `kubeadm init` run. (bsc#1214406)
    - Update go to version 1.22.5 in build requirements. (bsc#1229858)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1166-2 advisory.

    - Upgrade from v1.26.9 to v1.26.14
    - CVE-2024-0793: Fixed a DoS caused via a malformed HPA v1 manifest. (bsc#1219964)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1166-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1164-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1163-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1165-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1267 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.53. See the     following advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2024:1265

    Security Fix(es):

    * kube-controller-manager: malformed HPA v1 manifest causes crash     (CVE-2024-0793)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1267 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
278691	SUSE SLES15 Security Update : kubernetes1.23 (SUSE-SU-2025:02423-2)	Nessus	SuSE Local Security Checks	medium
207490	SUSE SLES15 Security Update : kubernetes1.24 (SUSE-SU-2024:3343-1)	Nessus	SuSE Local Security Checks	critical
207488	SUSE SLES15 Security Update : kubernetes1.23 (SUSE-SU-2024:3341-1)	Nessus	SuSE Local Security Checks	critical
205486	SUSE SLES15 Security Update : kubernetes1.23 (SUSE-SU-2024:1166-2)	Nessus	SuSE Local Security Checks	high
193061	SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.23 (SUSE-SU-2024:1166-1)	Nessus	SuSE Local Security Checks	high
193057	SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.23 (SUSE-SU-2024:1164-1)	Nessus	SuSE Local Security Checks	high
193053	SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.23 (SUSE-SU-2024:1163-1)	Nessus	SuSE Local Security Checks	high
193048	SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.23 (SUSE-SU-2024:1165-1)	Nessus	SuSE Local Security Checks	high
192298	RHEL 8 / 9 : OpenShift Container Platform 4.12.53 (RHSA-2024:1267)	Nessus	Red Hat Local Security Checks	high
192297	RHCOS 4 : OpenShift Container Platform 4.12.53 (RHSA-2024:1267)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2024-0793

high

Tenable Plugins

medium

critical

critical

high

high

high

high

high

high

high