Manage (get, list, watch, delete) CertificateSigningRequests
Information Disclosure
Medium
Overview
| Field | Value |
|---|---|
| ID | 1054 |
| Name | Manage (get, list, watch, delete) CertificateSigningRequests |
| Risk Category | Information Disclosure |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | certificates.k8s.io |
| Resources | certificatesigningrequests |
| Verbs | get, list, watch, delete |
| Tags | DenialOfService InformationDisclosure Tampering |
Description
Permits viewing, listing, watching, or deleting CertificateSigningRequests. Viewing CSRs can disclose information about pending certificate requests. Deleting CSRs can cause denial of service by preventing legitimate certificates from being issued or renewed.
Abuse Scenarios
- List all CertificateSigningRequests.
kubectl get csr
- Delete a specific CertificateSigningRequest, preventing certificate issuance.
kubectl delete csr <csr-name>
# Example: kubectl delete csr my-app-csr