CVE-2022-3172

🗓️ 03 Nov 2023 18:11:53Reported by kubernetesType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 1982 Views🌐 WEB

A security issue in kube-apiserver allows a server to redirect client traffic

Reporter	Title	Published	Views	Family All 75
IBM Security Bulletins	Security Bulletin: Open Source Dependency Vulnerability	15 May 202318:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd	19 Jun 202308:19	–	ibm
IBM Security Bulletins	Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172)	24 May 202313:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion HCI may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io/apimachinery, k8s.io/apiserver (CVE-2022-3172, CVE-2022-3162)	21 Dec 202317:24	–	ibm
IBM Security Bulletins	Security Bulletin: Kubernetes kube-apiserver vulnerability	17 Apr 202318:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	8 Jun 202321:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io/apimachinery, k8s.io/apiserver (CVE-2022-3172, CVE-2022-3162)	16 Nov 202321:29	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022	26 Mar 202502:40	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data	30 Nov 202223:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities	19 Dec 202215:35	–	ibm

NVD

Node

kubernetes apiserverRange≤1.21.14

kubernetes apiserverRange1.22.0–1.22.14

kubernetes apiserverRange1.23.0–1.23.11

kubernetes apiserverRange1.24.0–1.24.5

kubernetes apiserverMatch1.25.0

[
  {
    "defaultStatus": "unaffected",
    "product": "kube-apiserver",
    "repo": "https://github.com/kubernetes/kubernetes",
    "vendor": "Kubernetes",
    "versions": [
      {
        "status": "affected",
        "version": "v1.25.0"
      },
      {
        "lessThanOrEqual": "v1.24.4",
        "status": "affected",
        "version": "v1.24.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "v1.23.10",
        "status": "affected",
        "version": "v1.23.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "v1.22.13",
        "status": "affected",
        "version": "v1.22.0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "v1.25.1"
      },
      {
        "status": "unaffected",
        "version": "v1.24.5"
      },
      {
        "status": "unaffected",
        "version": "v1.23.11"
      },
      {
        "status": "unaffected",
        "version": "v1.22.14"
      },
      {
        "lessThanOrEqual": "v1.21.14",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
groups	www.groups.google.com/g/kubernetes-security-announce/c/_aLzYMpPRak
github	www.github.com/kubernetes/kubernetes/issues/112513
security	www.security.netapp.com/advisory/ntap-20231221-0005/

Parameter	Position	Path	Description	CWE
Authorization	path	/apis/metrics.k8s.io/v2beta1/	Aggregated API server redirect vulnerability (CVE-2022-3172) that can cause client traffic to be redirected to an arbitrary URL.	CWE-918

13 Feb 2025 17:15Current

7.1High risk

Vulners AI Score7.1

CVSS 3.15.1 - 8.2

EPSS0.03414

CWE-918