CVE-2022-3248 - OpenCVE

A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Openshift Container Platform Advanced Cluster Management For Kubernetes

Configuration 1 [-]

OR	cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.0:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2022-3248	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2072188	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-10-05T13:28:27.973Z

Updated: 2023-10-05T13:28:27.973Z

Reserved: 2022-09-20T14:18:05.021Z

Link: CVE-2022-3248

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-05T14:15:09.650

Modified: 2023-11-07T03:51:00.710

Link: CVE-2022-3248

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3248", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2022-09-20T14:18:05.021Z", "datePublished": "2023-10-05T13:28:27.973Z", "dateUpdated": "2023-10-05T13:28:27.973Z"}, "containers": {"cna": {"title": "Openshift api admission checks does not enforce \"custom-host\" permissions", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift API, as admission checks do not enforce \"custom-host\" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied."}], "affected": [{"product": "kubernetes", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhacm2/agent-service-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:acm:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 1.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kubernetes", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:ansible_automation_platform"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Tower 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kubernetes", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:ansible_tower:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 3.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "atomic-openshift", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openshift:3.11"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift-clients", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2022-3248", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072188", "name": "RHBZ#2072188", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-10-05T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-863: Incorrect Authorization", "timeline": [{"lang": "en", "time": "2022-03-23T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-05T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-10-05T13:28:27.973Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B0E6B4B-BAA6-474E-A18C-72C9719CEC1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift API, as admission checks do not enforce \"custom-host\" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la API de OpenShift, ya que las comprobaciones de admisi\u00f3n no aplican permisos de \"custom-host\". Este problema podr\u00eda permitir que un atacante viole los l\u00edmites, ya que no se aplicar\u00e1n los permisos."}], "id": "CVE-2022-3248", "lastModified": "2023-11-07T03:51:00.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-10-05T14:15:09.650", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-3248"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072188"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Secondary"}]}