A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:0542 | Third Party Advisory |
https://access.redhat.com/security/cve/CVE-2022-3962 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2148661 | Issue Tracking Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
AND |
|
History
26 Sep 2023, 14:24
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2148661 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://access.redhat.com/errata/RHSA-2023:0542 - Third Party Advisory | |
References | (MISC) https://access.redhat.com/security/cve/CVE-2022-3962 - Third Party Advisory | |
First Time |
Kiali kiali
Redhat enterprise Linux For Ibm Z Systems Kiali Redhat enterprise Linux For Power Little Endian Eus Redhat openshift Service Mesh Redhat Redhat enterprise Linux |
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:redhat:openshift_service_mesh:2.3.1:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.0:*:*:*:*:*:*:* cpe:2.3:a:kiali:kiali:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:* |
23 Sep 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-23 20:15
Updated : 2023-12-10 15:14
NVD link : CVE-2022-3962
Mitre link : CVE-2022-3962
CVE.ORG link : CVE-2022-3962
JSON object : View
Products Affected
kiali
- kiali
redhat
- enterprise_linux
- enterprise_linux_for_ibm_z_systems
- openshift_service_mesh
- enterprise_linux_for_power_little_endian_eus
CWE
NVD-CWE-noinfo
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')