CVE-2023-48713

Name of the Vulnerable Software and Affected Versions Knative Serving versions prior to 0.39.0 Knative Serving versions prior to v1.10.5 Knative Serving versions prior to v1.11.3 Knative Serving versions prior to v1.12.0

Description The issue is related to an unbound memory allocation bug in Knative Serving, which can cause a Denial-of-Service (DoS) of the autoscaler. An attacker who controls a pod and can control the responses from the "/metrics" endpoint can exploit this bug. This vulnerability allows a non-privileged Knative user to cause a DoS for the cluster. The root cause is a memory exhaustion issue in the autoscaler that can be triggered by a malicious response.

Recommendations For versions prior to 0.39.0, update to version 0.39.0 or later. For versions prior to v1.10.5, update to version v1.10.5 or later. For versions prior to v1.11.3, update to version v1.11.3 or later. For versions prior to v1.12.0, update to version v1.12.0 or later. As a temporary workaround, consider restricting access to the "/metrics" endpoint to minimize the risk of exploitation.