Bug 1203510 (CVE-2022-3172)

Summary: VUL-0: CVE-2022-3172: kubernetes: kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF)
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jkowalczyk, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/342833/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-09-19 08:16:51 UTC

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the
client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

ref: https://github.com/kubernetes/kubernetes/issues/112513

Comment 1 Thomas Leroy 2022-09-19 08:20:45 UTC
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update
- openSUSE:Factory
Comment 2 Thomas Leroy 2022-09-19 09:38:54 UTC
(In reply to Thomas Leroy from comment #1)
> Affected:
> - SUSE:SLE-15-SP1:Update:Products:CASP40:Update

CVSS < 8.0 sorry, so I guess wontfix for casp

> - openSUSE:Factory