All the vulnerabilites related to Red Hat - OpenShift Service Mesh 2.1
cve-2022-3962
Vulnerability from cvelistv5
Published
2023-09-23 19:00
Modified
2024-08-03 01:27
Summary
Kiali: error message spoofing in kiali ui
References
https://access.redhat.com/errata/RHSA-2023:0542vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-3962vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2148661issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat OpenShift Service Mesh 2.1     cpe:/a:redhat:service_mesh:2.1
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:53.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:0542",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:0542"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
          },
          {
            "name": "RHBZ#2148661",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:service_mesh:2.3::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-service-mesh/kiali-rhel8",
          "product": "Red Hat OpenShift Service Mesh 2.3 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.57.5-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_mesh:2.1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-service-mesh/kiali-rhel8",
          "product": "OpenShift Service Mesh 2.1",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by John Mazzitelli (Red Hat)."
        }
      ],
      "datePublic": "2022-11-22T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:26.058Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:0542",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:0542"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-3962"
        },
        {
          "name": "RHBZ#2148661",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148661"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-11-11T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2022-11-22T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Kiali: error message spoofing in kiali ui",
      "x_redhatCweChain": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3962",
    "datePublished": "2023-09-23T19:00:54.200Z",
    "dateReserved": "2022-11-12T00:20:34.872Z",
    "dateUpdated": "2024-08-03T01:27:53.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}