#VU71694 Input validation error in Kiali - CVE-2022-3962

Cybersecurity Help s.r.o.

Published: 2023-01-31

Vulnerability identifier: #VU71694

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-3962

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Kiali
Client/Desktop applications / Other client software

Vendor: Kiali

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input on the login page. A remote attacker can inject arbitrary text into error message that will be displayed to the user after following a specially crafted link.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Kiali: 0.4.0 - 1.59.0

External links
https://issues.redhat.com/browse/OSSM-2251
https://bugzilla.redhat.com/show_bug.cgi?id=2148661

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Service Mesh 2.3

Spoofing attack in Kiali