CVE-2022-1902 : A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifi

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.

Published 2022-09-01 21:15:09

Updated 2023-02-12 22:15:24

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-1902

Redhat » Advanced Cluster Security » Version: 3.68 For Kubernates
cpe:2.3:a:redhat:advanced_cluster_security:3.68:*:*:*:*:kubernates:*:*
Matching versions
Redhat » Advanced Cluster Security » Version: 3.69 For Kubernates
cpe:2.3:a:redhat:advanced_cluster_security:3.69:*:*:*:*:kubernates:*:*
Matching versions
Redhat » Advanced Cluster Security » Version: 3.70 For Kubernates
cpe:2.3:a:redhat:advanced_cluster_security:3.70:*:*:*:*:kubernates:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-1902

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 37 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-1902

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-1902

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Assigned by: secalert@redhat.com (Primary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Secondary)

References for CVE-2022-1902

https://bugzilla.redhat.com/show_bug.cgi?id=2090957

2090957 – (CVE-2022-1902) CVE-2022-1902 stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext
Issue Tracking;Vendor Advisory
https://github.com/stackrox/stackrox/pull/1803

ROX-10845: Refactor notifier scrubbing by mtodor · Pull Request #1803 · stackrox/stackrox · GitHub
Exploit;Patch;Third Party Advisory
https://access.redhat.com/security/cve/CVE-2022-1902

CVE-2022-1902- Red Hat Customer Portal
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-1902

Products affected by CVE-2022-1902

Exploit prediction scoring system (EPSS) score for CVE-2022-1902

CVSS scores for CVE-2022-1902

CWE ids for CVE-2022-1902

References for CVE-2022-1902