Bug 1203510 - (CVE-2022-3172) VUL-0: CVE-2022-3172: kubernetes: kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF)
(CVE-2022-3172)
VUL-0: CVE-2022-3172: kubernetes: kube-apiserver: Aggregated API server can c...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/342833/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-19 08:16 UTC by Thomas Leroy
Modified: 2022-09-19 09:38 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-19 08:16:51 UTC
rh#2127804

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the
client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

ref: https://github.com/kubernetes/kubernetes/issues/112513

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2127804
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3172
https://seclists.org/oss-sec/2022/q3/207
Comment 1 Thomas Leroy 2022-09-19 08:20:45 UTC
Affected:
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update
- openSUSE:Factory
Comment 2 Thomas Leroy 2022-09-19 09:38:54 UTC
(In reply to Thomas Leroy from comment #1)
> Affected:
> - SUSE:SLE-15-SP1:Update:Products:CASP40:Update

CVSS < 8.0 sorry, so I guess wontfix for casp

> - openSUSE:Factory