keda icon indicating copy to clipboard operation
keda copied to clipboard

Published 20 hours ago verified publisher icon kedacore

CVE-2022-3172 (Medium) detected in k8s.io/apimachinery-v0.24.4

Open mend-bolt-for-github[bot] opened this issue 1 year ago • 0 comments

CVE-2022-3172 - Medium Severity Vulnerability

Vulnerable Library - k8s.io/apimachinery-v0.24.4

null

Library home page: https://proxy.golang.org/k8s.io/apimachinery/@v/v0.24.4.zip

Dependency Hierarchy:

  • :x: k8s.io/apimachinery-v0.24.4 (Vulnerable Library)

Found in HEAD commit: f3e645589d16bc84a521e81b24dc90fe098643ad

Found in base branch: main

Vulnerability Details

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties

Publish Date: 2022-09-10

URL: CVE-2022-3172

CVSS 3 Score Details (5.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=2127804

Release Date: 2022-09-10

Fix Resolution: v1.22.14,v1.23.11,v1.24.5,v1.25.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Sep 26 '22 15:09 mend-bolt-for-github[bot]