CVE-2022-0759

Published: Mar 25, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).

Affected (1)

Products: Redhat: Kubeclient

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Kubeclient	Before 4.9.3

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://github.com/ManageIQ/kubeclient/issues/554

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/ManageIQ/kubeclient/issues/555

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/ManageIQ/kubeclient/issues/554

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/ManageIQ/kubeclient/issues/555

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.