Candidate: CVE-2022-0759
PublicDate: 2022-03-25 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759
 https://bugzilla.redhat.com/show_bug.cgi?id=2058404
 https://github.com/ManageIQ/kubeclient/issues/554
 https://github.com/ManageIQ/kubeclient/pull/556
 https://github.com/ManageIQ/kubeclient/issues/555
 https://github.com/ManageIQ/kubeclient/pull/556
Description:
 A flaw was found in all versions of kubeclient up to (but not including)
 v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed
 kubeconfig files. When the kubeconfig file does not configure custom CA to
 verify certs, kubeclient ends up accepting any certificate (it wrongly
 returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse
 kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_ruby-kubeclient:
upstream_ruby-kubeclient: needs-triage
trusty_ruby-kubeclient: ignored (out of standard support)
xenial_ruby-kubeclient: ignored (out of standard support)
bionic_ruby-kubeclient: needs-triage
focal_ruby-kubeclient: needs-triage
impish_ruby-kubeclient: needs-triage
jammy_ruby-kubeclient: needs-triage
devel_ruby-kubeclient: needs-triage