Improper Certificate Validation in kubeclient - CVE-2022-0759

 

Improper Certificate Validation in kubeclient - CVE-2022-0759

Published: April 25, 2022


Vulnerability identifier: #VU62574
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-0759
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: ManageIQ
Affected software:
kubeclient

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way kubeclient parses kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). A remote attacker can perform MitM attack.


How to mitigate CVE-2022-0759

Install updates from vendor's website.

Sources