CVE-2022-3172

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2022-3172 RHBA-2022:7200 RHSA-2022:7398 RHSA-2023:1655 UBUNTU-CVE-2022-3172

Modified

Published: 03 Nov 2023, 18:11

Last modified:13 Feb 2025, 16:32

Vulnerability Summary

Overall Risk (default)

medium

33/100

CVSS Score

8.2 HIGH

v3.1 (nvd)

EPSS Score

3.41% LOW

3% probability +0.88%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

03 Nov 2023, 18:11

Published

Vulnerability first disclosed

13 Feb 2025, 16:32

Last Modified

Vulnerability information updated

Description

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

CVSS Metrics

v3.1•MEDIUM•Score: 5.1CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
v3.1•HIGH•Score: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Trends

Current EPSS score: 3.41%• Percentile: 88%

Techniques & Countermeasures

CWE-918•Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Systems

kubernetes•apiserver
≤ 1.21.14 | ≥ 1.22.0, < 1.22.14 | ≥ 1.23.0, < 1.23.11 | ≥ 1.24.0, < 1.24.5 | 1.25.0
kubernetes•kube-apiserver
v1.25.0 | ≥ v1.24.0, ≤ v1.24.4 | ≥ v1.23.0, ≤ v1.23.10 | ≥ v1.22.0, ≤ v1.22.13 | ≤ v1.21.14