Lucene search

GitHub_MCVELIST:CVE-2022-31055

HistoryJun 13, 2022 - 3:40 p.m.

CVE-2022-31055 Improper Access Control in kctf

2022-06-1315:40:10

CWE-284

GitHub_M

www.cve.org

cve-2022-31055

kctf

improper access control

kubernetes

infrastructure

capture the flag

patched

workaround

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.7%

JSON

kCTF is a Kubernetes-based infrastructure for capture the flag (CTF) competitions. Prior to version 1.6.0, the kctf cluster set-src-ip-ranges was broken and allowed traffic from any IP. The problem has been patched in v1.6.0. As a workaround, those who want to test challenges privately can mark them as public: false and use kctf chal debug port-forward to connect.

CNA Affected

[
  {
    "product": "kctf",
    "vendor": "google",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.6.0"
      }
    ]
  }
]

References

github.com/google/kctf/commit/8cf050be974fcc2fd8aa136701f9a66f2b2a5202

github.com/google/kctf/pull/371

github.com/google/kctf/security/advisories/GHSA-4g2v-6qc6-6jv5

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.7%

JSON

Related for CVELIST:CVE-2022-31055