CVE-2023-1065 - Vulnerability Details - OpenCVE

This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Snyk	Kubernetes Monitor

Configuration 1 [-]

cpe:2.3:a:snyk:kubernetes_monitor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/snyk/kubernetes-monitor
https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157
https://github.com/snyk/kubernetes-monitor/pull/1275
https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/

History

Fri, 07 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-02-28T18:32:47.899Z

Updated: 2025-03-07T18:37:42.258Z

Reserved: 2023-02-27T11:54:18.520Z

Link: CVE-2023-1065

Vulnrichment

Updated: 2024-08-02T05:32:46.387Z

NVD

Status : Modified

Published: 2023-02-28T19:15:16.727

Modified: 2024-11-21T07:38:23.587

Link: CVE-2023-1065

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1065", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-27T11:54:18.520Z", "datePublished": "2023-02-28T18:32:47.899Z", "dateUpdated": "2025-03-07T18:37:42.258Z"}, "containers": {"cna": {"affected": [{"product": "Snyk Kubernetes Monitor", "vendor": "Snyk", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-01T11:27:50.500Z"}, "descriptions": [{"lang": "en", "value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."}], "references": [{"url": "https://github.com/snyk/kubernetes-monitor"}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "credits": [{"lang": "en", "value": "Tesco CyberSecurity Team"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:32:46.387Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/snyk/kubernetes-monitor", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157", "tags": ["x_transferred"]}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T18:37:33.265395Z", "id": "CVE-2023-1065", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T18:37:42.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/snyk/kubernetes-monitor", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157", "tags": ["x_transferred"]}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/", "tags": ["x_transferred"]}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:32:46.387Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-07T18:37:33.265395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T18:37:38.557Z"}}], "cna": {"credits": [{"lang": "en", "value": "Tesco CyberSecurity Team"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Snyk", "product": "Snyk Kubernetes Monitor", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.0", "versionType": "semver"}]}], "references": [{"url": "https://github.com/snyk/kubernetes-monitor"}, {"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}, {"url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}], "descriptions": [{"lang": "en", "value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-01T11:27:50.500Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1065", "state": "PUBLISHED", "dateUpdated": "2025-03-07T18:37:42.258Z", "dateReserved": "2023-02-27T11:54:18.520Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2023-02-28T18:32:47.899Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snyk:kubernetes_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1E859F1-7DBE-4E50-BE04-05D68CD9337B", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."}], "id": "CVE-2023-1065", "lastModified": "2024-11-21T07:38:23.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-28T19:15:16.727", "references": [{"source": "report@snyk.io", "tags": ["Product"], "url": "https://github.com/snyk/kubernetes-monitor"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}, {"source": "report@snyk.io", "tags": ["Vendor Advisory"], "url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/snyk/kubernetes-monitor"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/snyk/kubernetes-monitor/pull/1275"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}