CVE-2022-1632

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 69.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Fedora Redhat Ansible Automation Platform Redhat Openshift Container Platform

Timeline

PublishedSep 1

Latest updateSep 2

Description

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5openshift4.8.17

▶NVDredhat/ansible_automation_platform2.0

Also affects: Openshift Container Platform 4.0, Fedora 34, 35

🔴Vulnerability Details

GHSA

GHSA-x47w-fx67-qh3w: An Improper Certificate Validation attack was found in Openshift↗2022-09-02

▶

CVEList

CVE-2022-1632: An Improper Certificate Validation attack was found in Openshift↗2022-09-01

▶

📋Vendor Advisories

Red Hat

Openshift: ClusterIP Service TLS certificate not checked by route controller if re-encrypt Route destinationCACertificate field is explicitly set to default serviceCA↗2022-01-18

▶