2101669 – (CVE-2022-2238) CVE-2022-2238 search-api: SQL injection leads to remote denial of service

Bug 2101669 (CVE-2022-2238) - CVE-2022-2238 search-api: SQL injection leads to remote denial of service

Summary: CVE-2022-2238 search-api: SQL injection leads to remote denial of service

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2238
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2127870 (view as bug list)
Depends On:	2101699 2131387 2131388 2131390
Blocks:	2101670 2101707 2127433
TreeView+	depends on / blocked

Reported:	2022-06-28 05:41 UTC by Avinash Hanwate
Modified:	2022-12-03 03:33 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the search-api container when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting.
Clone Of:
Environment:
Last Closed:	2022-12-03 03:33:19 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6954	None	None	None	2022-10-13 19:16:48 UTC
Red Hat Product Errata	RHSA-2022:7276	None	None	None	2022-11-01 16:53:18 UTC
Red Hat Product Errata	RHSA-2022:7313	None	None	None	2022-11-02 14:07:21 UTC

Description Avinash Hanwate 2022-06-28 05:41:11 UTC

The flaw was found in search-api. The web interface allows input of malformed queries in the search filter which then gets parsed by the backend and this results in a prolonged remote denial of service.

Comment 2 errata-xmlrpc 2022-10-13 19:16:46 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6954 https://access.redhat.com/errata/RHSA-2022:6954

Comment 3 Borja Tarraso 2022-10-31 13:51:11 UTC

*** Bug 2127870 has been marked as a duplicate of this bug. ***

Comment 4 errata-xmlrpc 2022-11-01 16:53:16 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276

Comment 5 errata-xmlrpc 2022-11-02 14:07:05 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:7313 https://access.redhat.com/errata/RHSA-2022:7313

Comment 6 Product Security DevOps Team 2022-12-03 03:33:17 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2238

Note You need to log in before you can comment on or make changes to this bug.