CVE-2022-0484 - OpenCVE

Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver which serves a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via its URL. This issue affects: Mirantis Mirantis Container Cloud Lens Extension v3 versions prior to v3.1.1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mirantis	Container Cloud Lens Extension

Configuration 1 [-]

cpe:2.3:a:mirantis:container_cloud_lens_extension:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/Mirantis/security/blob/main/advisories/0005.md	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mirantis

Published: 2022-02-03T00:00:00

Updated: 2022-02-04T22:29:20

Reserved: 2022-02-03T00:00:00

Link: CVE-2022-0484

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-02-04T23:15:12.843

Modified: 2022-02-09T19:35:51.577

Link: CVE-2022-0484

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "Mirantis Container Cloud Lens Extension", "vendor": "Mirantis", "versions": [{"lessThan": "v3.1.1", "status": "affected", "version": "v3", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mirantis PSIRT"}], "datePublic": "2022-02-03T00:00:00", "descriptions": [{"lang": "en", "value": "Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver which serves a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via its URL. This issue affects: Mirantis Mirantis Container Cloud Lens Extension v3 versions prior to v3.1.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-04T22:29:20", "orgId": "ac17a704-eccd-4263-a802-5cee95c1d547", "shortName": "Mirantis"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Mirantis/security/blob/main/advisories/0005.md"}], "source": {"advisory": "0005", "discovery": "INTERNAL"}, "title": "Improper URL Validation causes Mirantis Container Cloud Lens Extension to open external programs", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@mirantis.com", "DATE_PUBLIC": "2022-02-03T17:30:00.000Z", "ID": "CVE-2022-0484", "STATE": "PUBLIC", "TITLE": "Improper URL Validation causes Mirantis Container Cloud Lens Extension to open external programs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mirantis Container Cloud Lens Extension", "version": {"version_data": [{"version_affected": "<", "version_name": "v3", "version_value": "v3.1.1"}]}}]}, "vendor_name": "Mirantis"}]}}, "credit": [{"lang": "eng", "value": "Mirantis PSIRT"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver which serves a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via its URL. This issue affects: Mirantis Mirantis Container Cloud Lens Extension v3 versions prior to v3.1.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Mirantis/security/blob/main/advisories/0005.md", "refsource": "MISC", "url": "https://github.com/Mirantis/security/blob/main/advisories/0005.md"}]}, "source": {"advisory": "0005", "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "ac17a704-eccd-4263-a802-5cee95c1d547", "assignerShortName": "Mirantis", "cveId": "CVE-2022-0484", "datePublished": "2022-02-03T00:00:00", "dateReserved": "2022-02-03T00:00:00", "dateUpdated": "2022-02-04T22:29:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mirantis:container_cloud_lens_extension:*:*:*:*:*:*:*:*", "matchCriteriaId": "7077A81D-D202-4B73-84CC-9747445F9460", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver which serves a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via its URL. This issue affects: Mirantis Mirantis Container Cloud Lens Extension v3 versions prior to v3.1.1."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de las URLs causa que Mirantis Container Cloud Lens Extension versiones anteriores a v3.1.1, abra programas externos distintos al navegador por defecto para llevar a cabo el inicio de sesi\u00f3n en un nuevo cluster. Un atacante podr\u00eda alojar un servidor web que sirva un archivo de configuraci\u00f3n de Mirantis Container Cloud malicioso e inducir a la v\u00edctima a a\u00f1adir un nuevo cluster por medio de su URL. Este problema afecta a: Mirantis Container Cloud Lens Extension versiones v3 anteriores a la v3.1.1"}], "id": "CVE-2022-0484", "lastModified": "2022-02-09T19:35:51.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@mirantis.com", "type": "Secondary"}]}, "published": "2022-02-04T23:15:12.843", "references": [{"source": "psirt@mirantis.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Mirantis/security/blob/main/advisories/0005.md"}], "sourceIdentifier": "psirt@mirantis.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@mirantis.com", "type": "Secondary"}]}