CVE-2022-0759 – kubeclient

Package

Manager: gem
Name: kubeclient
Vulnerable Version: >=0 <4.9.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00114 pctl0.30641

Details

Improper Certificate Validation in kubeclient A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).

Metadata

Created: 2022-03-26T00:00:29Z
Modified: 2022-04-08T21:45:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-69p3-xp37-f692/GHSA-69p3-xp37-f692.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-69p3-xp37-f692
Finding: F163
Auto approve: 1