CVE-2022-1902 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Redhat Advanced Cluster Security

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE-668 — Resource Exposure4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.8%

top 25.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Advanced Cluster Security

Timeline

PublishedSep 1

Latest updateSep 2

Description

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/advanced_cluster_security3.68, 3.69, 3.70+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-c2p8-xm7c-wc48: A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes↗2022-09-02

▶

CVEList

CVE-2022-1902: A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes↗2022-09-01

▶

📋Vendor Advisories

Red Hat

stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext↗2022-05-25

▶