Bug 2072188 (CVE-2022-3248) - CVE-2022-3248 kubernetes: OpenShift API admission checks does not enforce "custom-host" permissions
Summary: CVE-2022-3248 kubernetes: OpenShift API admission checks does not enforce "cu...
Keywords:
Status: NEW
Alias: CVE-2022-3248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2101532 2101753 2101531 2112757 2112758
Blocks: 2075610 2128432
TreeView+ depends on / blocked
 
Reported: 2022-04-05 18:35 UTC by Pedro Sampaio
Modified: 2023-12-28 13:01 UTC (History)
57 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-04-05 18:35:01 UTC 
The ability to specify a custom host name is governed by the "custom-host" permission, which is granted by default to all project administrators[1]. *It is possible for the cluster administrator to revoke this permission*. Then, the OpenShift API admission checks *should* prohibit project administrators from setting a custom host name on ingress and route objects. The problem is that *the admission checks do not enforce this prohibition* for ingress objects under some circumstances.
Note You need to log in before you can comment on or make changes to this bug.