CVE-2025-46599 — CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-

描述

CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/k3s-io/k3s from v1.32.0-rc1 before v1.32.4-rc1.

如何修補 CVE-2025-46599

要修補 CVE-2025-46599,請將受影響套件升級到下列已修補版本。

—升級至 1.32.4-rc1 或更新版本
—未列出修補版本

CVE-2025-46599 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(2)

>= 1.32.0-rc1, < 1.32.4-rc1
from 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

參考連結(9)

ADVISORYgithub.com/advisories/GHSA-864f-7xjm-2jp2
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-46599
PATCHgithub.com/k3s-io/k3s
WEBcloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
WEB