#VU62574 Improper Certificate Validation in kubeclient - CVE-2022-0759
Published: April 25, 2022
Vulnerability identifier: #VU62574
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-0759
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
kubeclient
kubeclient
Software vendor:
ManageIQ
ManageIQ
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the way kubeclient parses kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs,
kubeclient ends up accepting any certificate (it wrongly returns
VERIFY_NONE). A remote attacker can perform MitM attack.
Remediation
Install updates from vendor's website.