Vulnerability Details : CVE-2022-0759
A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
Products affected by CVE-2022-0759
- cpe:2.3:a:redhat:kubeclient:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0759
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0759
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2022-0759
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2022-0759
-
https://github.com/ManageIQ/kubeclient/issues/554
VULNERABILITY: `Config` defaults to `VERIFY_NONE` when kubeconfig doesn't specify custom CA · Issue #554 · ManageIQ/kubeclient · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/ManageIQ/kubeclient/issues/555
`Config` ignores `insecure-skip-tls-verify` field · Issue #555 · ManageIQ/kubeclient · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to