CVE-2022-1677Uncontrolled Resource Consumption in Redhat Openshift

CWE-400Uncontrolled Resource ConsumptionCWE-280Improper Handling of Insufficient Permissions or Privileges4 documents4 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 54.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat OpenshiftRedhat Openshift Container Platform
Timeline
PublishedSep 1
Latest updateSep 2

Description

In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

CVEListV5redhat/openshift_container_platformOpenshift 3.11 and 4.6 onwards
CVEListV5redhat/openshiftOpenshift 3.11 and 4.6 onwards

Also affects: Openshift Container Platform 3.11, 4.10, 4.6, 4.7, 4.8, 4.9

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

2
GHSA
GHSA-qq85-wpwr-7p33: In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the2022-09-02
CVEList
CVE-2022-1677: In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the2022-09-01

📋Vendor Advisories

1
Red Hat
openshift/router: route hijacking attack via crafted HAProxy configuration file2022-05-13
CVE-2022-1677 — Uncontrolled Resource Consumption | cvebase