Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-1902
Vulnerability from cvelistv5
Published
2022-09-01 19:54
Modified
2024-08-03 00:17
Severity ?
EPSS score ?
Summary
A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.
References
▼ | URL | Tags | |
---|---|---|---|
secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-1902 | Vendor Advisory | |
secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2090957 | Issue Tracking, Vendor Advisory | |
secalert@redhat.com | https://github.com/stackrox/stackrox/pull/1803 | Exploit, Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-1902 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2090957 | Issue Tracking, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/stackrox/stackrox/pull/1803 | Exploit, Patch, Third Party Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | n/a | Red Hat Advanced Cluster Security for Kubernetes |
Version: Red Hat Advanced Cluster Security for Kubernetes 3 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:17:00.984Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/stackrox/stackrox/pull/1803" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Red Hat Advanced Cluster Security for Kubernetes", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Red Hat Advanced Cluster Security for Kubernetes 3" } ] } ], "descriptions": [ { "lang": "en", "value": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-497", "description": "CWE-497", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-01T19:54:44", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "tags": [ "x_refsource_MISC" ], "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/stackrox/stackrox/pull/1803" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-1902", "datePublished": "2022-09-01T19:54:44", "dateReserved": "2022-05-27T00:00:00", "dateUpdated": "2024-08-03T00:17:00.984Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-1902\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-09-01T21:15:09.110\",\"lastModified\":\"2024-11-21T06:41:43.090\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo en Red Hat Advanced Cluster Security for Kubernetes. Los secretos de los notificadores no estaban apropiadamente saneados en la API GraphQL. Este fallo permite a usuarios autenticados de ACS recuperar notificadores de la API GraphQL, revelando secretos que pueden escalar sus privilegios\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:advanced_cluster_security:3.68:*:*:*:*:kubernates:*:*\",\"matchCriteriaId\":\"51FFDA7E-C834-4B52-8217-5FC4E0AD9CA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:advanced_cluster_security:3.69:*:*:*:*:kubernates:*:*\",\"matchCriteriaId\":\"5DE29924-BE2A-4238-9AE7-50C66741BCF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:advanced_cluster_security:3.70:*:*:*:*:kubernates:*:*\",\"matchCriteriaId\":\"0CB462DE-E208-41A6-BD64-934276163329\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-1902\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2090957\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/stackrox/stackrox/pull/1803\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-1902\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2090957\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/stackrox/stackrox/pull/1803\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}" } }
rhsa-2022_5188
Vulnerability from csaf_redhat
Published
2022-06-24 19:42
Modified
2024-12-17 21:58
Summary
Red Hat Security Advisory: RHACS 3.69 security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of RHACS 3.69.2
Security Fix(es):
* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Release of RHACS 3.69.2\n\nSecurity Fix(es):\n\n* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5188", "url": "https://access.redhat.com/errata/RHSA-2022:5188" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "ROX-11455", "url": "https://issues.redhat.com/browse/ROX-11455" }, { "category": "external", "summary": "ROX-9657", "url": "https://issues.redhat.com/browse/ROX-9657" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5188.json" } ], "title": "Red Hat Security Advisory: RHACS 3.69 security update", "tracking": { "current_release_date": "2024-12-17T21:58:12+00:00", "generator": { "date": "2024-12-17T21:58:12+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:5188", "initial_release_date": "2022-06-24T19:42:45+00:00", "revision_history": [ { "date": "2022-06-24T19:42:45+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-24T19:42:45+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T21:58:12+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHACS 3.69 for RHEL 8", "product": { "name": "RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69", "product_identification_helper": { "cpe": "cpe:/a:redhat:advanced_cluster_security:3.69::el8" } } } ], "category": "product_family", "name": "Red Hat Advanced Cluster Security for Kubernetes" }, { "branches": [ { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.69.2-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.69.2-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "product": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.69.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "product": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.69.2-5" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "product": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.69.2-5" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "product": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.69.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "product": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.69.2-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.69.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.69.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.69.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.69.2-4" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64" }, "product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64" }, "product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64" }, "product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64" }, "product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64" }, "product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64 as a component of RHACS 3.69 for RHEL 8", "product_id": "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64", "relates_to_product_reference": "8Base-RHACS-3.69" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-43565", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030787" } ], "notes": [ { "category": "description", "text": "There\u0027s an input validation flaw in golang.org/x/crypto\u0027s readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/crypto: empty plaintext packet causes panic", "title": "Vulnerability summary" }, { "category": "other", "text": "go-toolset shipped with Red Hat Developer Tools - Compilers and golang shipped with Red Hat Enterprise Linux 8 are not affected by this flaw because they do not ship the vulnerable code.\n\nThis flaw was rated to have a Moderate impact because it is not shipped in the Golang standard library and thus has a reduced impact to products compared with other flaws of this type.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64" ], "known_not_affected": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-43565" }, { "category": "external", "summary": "RHBZ#2030787", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43565", "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565" } ], "release_date": "2021-12-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-24T19:42:45+00:00", "details": "If you are using the RHACS 3.69.1, you are advised to upgrade to patch release 3.69.2.", "product_ids": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5188" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang.org/x/crypto: empty plaintext packet causes panic" }, { "cve": "CVE-2022-1902", "cwe": { "id": "CWE-497", "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere" }, "discovery_date": "2022-05-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2090957" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "title": "Vulnerability description" }, { "category": "summary", "text": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64" ], "known_not_affected": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "category": "external", "summary": "RHBZ#2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1902", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1902" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902" } ], "release_date": "2022-05-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-24T19:42:45+00:00", "details": "If you are using the RHACS 3.69.1, you are advised to upgrade to patch release 3.69.2.", "product_ids": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5188" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-rhel8@sha256:b1133a28779646b195f65221eb81cc5be95076d9c835d7ea072ec86ad9a4ba93_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:339f13fe43b1413c4a88778195ea937cc1a96b9790b443f876de7cadf152bce1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-docs-rhel8@sha256:90457347e3b31e462d6b778274374c92d66faee30bae8162afb9c868ce537e54_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-main-rhel8@sha256:d1257e71da7d928d57d587b37d9b6aa79c3a0532e87d3d24742613f623709082_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-operator-bundle@sha256:297e7f863106c6b41f882bbd5b691a12c797c24d832473a04e604d4639e4a68e_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-rhel8-operator@sha256:2816c185da5d27e5340a40c97b9c8cabb14b29ddb63ad7aea47fa697e2f264fb_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:5f478678df06ff4d666d0a0cdd2edbfafe1bd860cbced04e6ed10b3dfa70a85f_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:f4f70356fc2e9d6d2129d31e4e5795c5cc5e08f754ffba663863363fb46c5760_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:c8e76bf5bb6d96904bf0d4b34b338bce7f96436625d0d982c007c6e7fee0f4f1_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-rhel8@sha256:fba8806142f5358194126cb8501d8bc2de7a2bdd8d5a4cb7fd32faa8bb09b289_amd64", "8Base-RHACS-3.69:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:cecd1a42674d57be482644e6986aefee90e315c767941c622297928a999b5057_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext" } ] }
rhsa-2022_5132
Vulnerability from csaf_redhat
Published
2022-06-20 17:22
Modified
2024-11-22 19:30
Summary
Red Hat Security Advisory: RHACS 3.68 security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of RHACS 3.68.2
Security Fix(es):
* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Release of RHACS 3.68.2\n\nSecurity Fix(es):\n\n* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5132", "url": "https://access.redhat.com/errata/RHSA-2022:5132" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "ROX-11391", "url": "https://issues.redhat.com/browse/ROX-11391" }, { "category": "external", "summary": "ROX-9657", "url": "https://issues.redhat.com/browse/ROX-9657" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5132.json" } ], "title": "Red Hat Security Advisory: RHACS 3.68 security update", "tracking": { "current_release_date": "2024-11-22T19:30:43+00:00", "generator": { "date": "2024-11-22T19:30:43+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5132", "initial_release_date": "2022-06-20T17:22:16+00:00", "revision_history": [ { "date": "2022-06-20T17:22:16+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-20T17:22:16+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T19:30:43+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHACS 3.68 for RHEL 8", "product": { "name": "RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68", "product_identification_helper": { "cpe": "cpe:/a:redhat:advanced_cluster_security:3.68::el8" } } } ], "category": "product_family", "name": "Red Hat Advanced Cluster Security for Kubernetes" }, { "branches": [ { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.68.2-9" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.68.2-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "product": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.68.2-7" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64", "product": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64", "product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.68.2-8" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "product": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.68.2-13" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "product": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.68.2-5" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "product": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.68.2-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.68.2-9" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.68.2-9" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64" }, "product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64" }, "product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64" }, "product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64" }, "product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64" }, "product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64 as a component of RHACS 3.68 for RHEL 8", "product_id": "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64", "relates_to_product_reference": "8Base-RHACS-3.68" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-1902", "cwe": { "id": "CWE-497", "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere" }, "discovery_date": "2022-05-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2090957" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "title": "Vulnerability description" }, { "category": "summary", "text": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHACS-3.68:advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64" ], "known_not_affected": [ "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-rhel8@sha256:83779a489e84b94446913ac6734182410f489d64201d4b3da2adc0c4d13f0140_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:1098aaf6a3315845b45658ad638ed0b4c5e1c164d48ccca1d45fc5448b93e307_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-docs-rhel8@sha256:9b3763478a960cbe92fff01348c02147f5b284caabdb319c3aecba94a7efe5ee_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-operator-bundle@sha256:6a10a4859527946f61f497ff84b80f973cb7be5982d428423836b5aca81a1f5d_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-rhel8-operator@sha256:eb66d503d51e2524bbe4c6140672b9383da833578173baba50bb61ca2d92b635_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:8755ce5d1dd308e49671eda7f4f2deeb42acbefcffb47c4b82e7aca5665487aa_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:b2a7c913963711b387e0472754745a2b3467a4d6ffafa23bb8643282fbff8e34_amd64", "8Base-RHACS-3.68:advanced-cluster-security/rhacs-scanner-rhel8@sha256:331775107475c3acf3536c4c1c8847519fd245236f1f209343f058805725eb0d_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "category": "external", "summary": "RHBZ#2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1902", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1902" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902" } ], "release_date": "2022-05-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-20T17:22:16+00:00", "details": "If you are using the RHACS 3.68.1, you are advised to upgrade to patch release 3.68.2.", "product_ids": [ "8Base-RHACS-3.68:advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5132" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHACS-3.68:advanced-cluster-security/rhacs-main-rhel8@sha256:8ea2dd44cd9aee53482e36d88d57c0d352b27277c3c6a09973ad57499dc6c3d8_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext" } ] }
rhsa-2022_5189
Vulnerability from csaf_redhat
Published
2022-06-27 10:19
Modified
2024-11-22 19:30
Summary
Red Hat Security Advisory: RHACS 3.70 security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes bug and security fixes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of ACS 3.70.1
Security Fix(es):
* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS). The updated image includes bug and security fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Release of ACS 3.70.1\n\nSecurity Fix(es):\n\n* stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext (CVE-2022-1902)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5189", "url": "https://access.redhat.com/errata/RHSA-2022:5189" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "ROX-11452", "url": "https://issues.redhat.com/browse/ROX-11452" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5189.json" } ], "title": "Red Hat Security Advisory: RHACS 3.70 security update", "tracking": { "current_release_date": "2024-11-22T19:30:58+00:00", "generator": { "date": "2024-11-22T19:30:58+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5189", "initial_release_date": "2022-06-27T10:19:57+00:00", "revision_history": [ { "date": "2022-06-27T10:19:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-27T10:19:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T19:30:58+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHACS 3.70 for RHEL 8", "product": { "name": "RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70", "product_identification_helper": { "cpe": "cpe:/a:redhat:advanced_cluster_security:3.70::el8" } } } ], "category": "product_family", "name": "Red Hat Advanced Cluster Security for Kubernetes" }, { "branches": [ { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "product": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.70.1-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "product": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64", "product": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64", "product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.70.1-5" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "product": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "product": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "product": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.70.1-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.70.1-4" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.70.1-3" } } }, { "category": "product_version", "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64", "product": { "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64", "product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64", "product_identification_helper": { "purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.70.1-4" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64" }, "product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64" }, "product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64" }, "product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64" }, "product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64" }, "product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64" }, "product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" }, { "category": "default_component_of", "full_product_name": { "name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64 as a component of RHACS 3.70 for RHEL 8", "product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64" }, "product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64", "relates_to_product_reference": "8Base-RHACS-3.70" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-1902", "cwe": { "id": "CWE-497", "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere" }, "discovery_date": "2022-05-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2090957" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "title": "Vulnerability description" }, { "category": "summary", "text": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64" ], "known_not_affected": [ "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:1457880bb72cd6628abb1f12c1a63ddfdeccc4d6096f39a8653ef0335f471266_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:098c7751ddc217f1cdd6798b6424141c27e7e19ca437a8157e728c62f8fea423_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:297de60ddf71c1468a800f118e375fe5b5e0a6f11568e1da8a13a794433240c2_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:9b35ae6df2c19935783735d213483f3fcecead2f49f873a4f7844ef9fb5c7f1a_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:9badb9eb5a21f7100b87a32833cc06c1c7f11aad977250af5ca24fb01318f862_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:7f92d7708730cd31ca0a0f1118b4635a68726ca1bbf0109b5bae238d7cf1a838_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:a45ff3957c1357aface24b346e08974d2fe60661005fb8e94cc2909c251c72c7_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5e24f3e58f179e29f4e90b7fcc5478078dc60eae9e8095918c0484932472e9d2_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:c779024230a63c6502dd84dc501b736789bb37210afb62fbf7cf243b9c748e58_amd64", "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:1db63101fcace1acd53dfd2278f2208fdb22295c6f0d9b9ac6d9ac1cdde1f544_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "category": "external", "summary": "RHBZ#2090957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1902", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1902" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902" } ], "release_date": "2022-05-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-27T10:19:57+00:00", "details": "If you are using the RHACS 3.70.0, you are advised to upgrade to patch release 3.70.1.", "product_ids": [ "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5189" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:0c45ab080cd5f6429de49036fe846fe241c3044091dae245c2a6831cbdf20f65_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext" } ] }
gsd-2022-1902
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2022-1902", "description": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "id": "GSD-2022-1902", "references": [ "https://access.redhat.com/errata/RHSA-2022:5132", "https://access.redhat.com/errata/RHSA-2022:5188", "https://access.redhat.com/errata/RHSA-2022:5189" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-1902" ], "details": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "id": "GSD-2022-1902", "modified": "2023-12-13T01:19:28.560487Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-1902", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Red Hat Advanced Cluster Security for Kubernetes", "version": { "version_data": [ { "version_affected": "=", "version_value": "Red Hat Advanced Cluster Security for Kubernetes 3" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-497", "lang": "eng", "value": "CWE-497" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" }, { "name": "https://access.redhat.com/security/cve/CVE-2022-1902", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "name": "https://github.com/stackrox/stackrox/pull/1803", "refsource": "MISC", "url": "https://github.com/stackrox/stackrox/pull/1803" } ] } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:advanced_cluster_security:3.68:*:*:*:*:kubernates:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:advanced_cluster_security:3.69:*:*:*:*:kubernates:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:advanced_cluster_security:3.70:*:*:*:*:kubernates:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-1902" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-497" } ] } ] }, "references": { "reference_data": [ { "name": "https://access.redhat.com/security/cve/CVE-2022-1902", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "name": "https://github.com/stackrox/stackrox/pull/1803", "refsource": "MISC", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/stackrox/stackrox/pull/1803" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957", "refsource": "MISC", "tags": [ "Issue Tracking", "Vendor Advisory" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9 } }, "lastModifiedDate": "2023-02-12T22:15Z", "publishedDate": "2022-09-01T21:15Z" } } }
ghsa-c2p8-xm7c-wc48
Vulnerability from github
Published
2022-09-02 00:01
Modified
2022-09-08 00:00
Severity ?
Details
A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.
{ "affected": [], "aliases": [ "CVE-2022-1902" ], "database_specific": { "cwe_ids": [ "CWE-497", "CWE-668" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2022-09-01T21:15:00Z", "severity": "HIGH" }, "details": "A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.", "id": "GHSA-c2p8-xm7c-wc48", "modified": "2022-09-08T00:00:29Z", "published": "2022-09-02T00:01:02Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1902" }, { "type": "WEB", "url": "https://github.com/stackrox/stackrox/pull/1803" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2022:5132" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2022:5188" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2022:5189" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2022-1902" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2090957" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.