Home > Vulnerability Database > CVE-2022-0759

Mend.io Vulnerability Database

CVE-2022-0759

Good to know:

Date: March 25, 2022

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).

Language: Ruby

Severity Score

8.1

Related Resources (8)

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kubeclient/CVE-2022-0759.yml

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-0759

Url: https://github.com/ManageIQ/kubeclient/pull/556

Url: https://github.com/ManageIQ/kubeclient/commit/109ea71de5a8881748f03ebbe103b49f0f1c7887

Url: https://github.com/ManageIQ/kubeclient/issues/554

Url: https://github.com/ManageIQ/kubeclient

Url: https://github.com/ManageIQ/kubeclient/issues/555

Url: https://www.mend.io/vulnerability-database/CVE-2022-0759

Severity Score

8.1

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version kubeclient - 4.9.3

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-0759

Good to know:

Date: March 25, 2022

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?