CVE-2022-0759
HIGHkubeclient < 4.9.3 - Improper Certificate Validation in Kubeconfig Parser
Title source: llmDescription
A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/ManageIQ/kubeclient/issues/554
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/ManageIQ/kubeclient/issues/555
Scores
CVSS v3
8.1
EPSS
0.0014
EPSS Percentile
33.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-295
Status
published
Products (2)
redhat/kubeclient
< 4.9.3
rubygems/kubeclient
0 - 4.9.3RubyGems
Published
Mar 25, 2022
Tracked Since
Feb 18, 2026