CVE-2022-3962
Kiali: error message spoofing in kiali ui
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
Se encontró una vulnerabilidad de suplantación de contenido en Kiali. Se descubrió que Kiali no implementa el manejo de errores cuando no se puede encontrar la página o el endpoint al que se accede. Este problema permite a un atacante realizar una inyección de texto arbitrario cuando se recupera una respuesta de error de la URL a la que se accede.
*Credits:
This issue was discovered by John Mazzitelli (Red Hat).
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-11-12 CVE Reserved
- 2023-09-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:0542 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2022-3962 | 2023-01-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148661 | 2023-01-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 2.3.1 Search vendor "Redhat" for product "Openshift Service Mesh" and version "2.3.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 2.3.1 Search vendor "Redhat" for product "Openshift Service Mesh" and version "2.3.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" | 8.0 Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 2.3.1 Search vendor "Redhat" for product "Openshift Service Mesh" and version "2.3.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux For Power Little Endian Eus Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" | 8.0 Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.0" | - |
Safe
|
| Kiali Search vendor "Kiali" | Kiali Search vendor "Kiali" for product "Kiali" | - | - |
Affected
| ||||||