SCA: security update for github.com/kubeedge/kubeedge (GHSA-8f4f-v9x5-cg6j)

medium Tenable Cloud Security Plugin ID 412614

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device
management to hosts at the Edge. In affected versions a malicious message can crash CloudCore by
triggering a nil-pointer dereference in the UDS Server. Since the UDS Server only communicates with the
CSI Driver on the cloud side, the attack is limited to the local host network. As such, an attacker would
already need to be an authenticated user of the Cloud. Additionally it will be affected only when users
turn on the unixsocket switch in the config file cloudcore.yaml. This bug has been fixed in Kubeedge
1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. Users unable to
upgrade should sisable the unixsocket switch of CloudHub in the config file cloudcore.yaml.
(CVE-2022-31076)

See Also

https://github.com/advisories/GHSA-8f4f-v9x5-cg6j

Plugin Details

Severity: Medium

ID: 412614

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.7

Temporal Score: 2.1

Vector: CVSS2#AV:A/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2022-31076

CVSS v3

Risk Factor: Medium

Base Score: 5.7

Temporal Score: 5.1

Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/25/2022

Vulnerability Publication Date: 6/25/2022

Reference Information

CVE: CVE-2022-31076

cwe: CWE-476