### CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3

    int index = 0;
    int hashCode = 0;
    long size = 0;
    for (Entry<? extends E> entryWithWildcard : entries) {
      @SuppressWarnings("unchecked") // safe because we only read from it
      Entry<E> entry = (Entry<E>) entryWithWildcard;
      E element = checkNotNull(entry.getElement());
      int count = entry.getCount();
      int hash = element.hashCode();

 * properties are be specified. <b>With later containers the
 * {@code NtlmHttpFilter} should be used</b>. For custom NTLM HTTP Authentication schemes the {@code NtlmSsp} may be used.
 *
 * <p>
 * Read <a href="../../../ntlmhttpauth.html">jCIFS NTLM HTTP Authentication and the Network Explorer Servlet</a> related information.
 */

public abstract class NtlmServlet extends HttpServlet {

    /**

        for (int i = 0; i < nameBytes.length; i++) {
            assertEquals(nameBytes[i], dst[12 + i]);
        }
        assertEquals((byte) 0x00, dst[12 + nameBytes.length]);
    }

    /**
     * read*WireFormat methods in request return 0 (not implemented for requests).
     */
    @Test
    void testReadWireFormatStubsReturnZero() {
        // Given

            throws IOException;

    /**
     * Calculates checksums for specified stream. Upon this method returns, the stream will be depleted (fully read)
     * but not closed.
     *
     * @param stream      The stream for which to calculate checksums, must not be {@code null}.
     * @param algorithms  The checksum algorithms to use, must not be {@code null}.

		Stmts:    stmt_store.New(maxSize, ttl), // Initializes a new statement store with the specified maximum size and TTL.
		Mux:      &sync.RWMutex{},              // Sets up a read-write mutex for synchronizing access to the statement store.
	}
}

// GetDBConn returns the underlying *sql.DB connection
func (db *PreparedStmtDB) GetDBConn() (*sql.DB, error) {

	resp := lockRPCRLock.NewResponse()
	success, err := l.ll.RLock(ctx, *args)
	if err == nil && !success {
		err = errLockConflict
	}
	return l.makeResp(resp, err)
}

// RUnlockHandler - releases the acquired read lock.
func (l *lockRESTServer) RUnlockHandler(args *dsync.LockArgs) (*dsync.LockResp, *grid.RemoteErr) {
	resp := lockRPCRUnlock.NewResponse()

	// Write all data, syncs the data to disk.
	// Should be used for smaller payloads.
	WriteAll(ctx context.Context, volume string, path string, b []byte) (err error)

	// Read all.
	ReadAll(ctx context.Context, volume string, path string) (buf []byte, err error)
	GetDiskLoc() (poolIdx, setIdx, diskIdx int) // Retrieve location indexes.

		n := 1
		var base, ext string
		base = *privKeyPath
		if idx := strings.LastIndexByte(base, '.'); idx != -1 {
			ext = base[idx:]
			base = base[:idx]
		}
		for {
			// Automatically read "file.ext", "file-2.ext", "file-3.ext"...
			fn := base + ext
			if n > 1 {
				fn = fmt.Sprintf("%s-%d%s", base, n, ext)
			}

			if b, err := os.ReadFile(fn); err == nil {
				privateKeys = append(privateKeys, b)

	if o.args.AuthToken != "" {
		req.Header.Set("Authorization", o.args.AuthToken)
	}

	resp, err := o.client.Do(req)
	if err != nil {
		return false, err
	}
	defer o.args.CloseRespFn(resp.Body)

	// Read the body to be saved later.
	opaRespBytes, err := io.ReadAll(resp.Body)
	if err != nil {
		return false, err
	}

	// Handle large OPA responses when OPA URL is of