A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-03-25T18:03:10

Updated: 2024-08-02T23:40:03.643Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-0759

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-03-25T19:15:10.283

Modified: 2024-11-21T06:39:20.370

Link: CVE-2022-0759

cve-icon Redhat

Severity : Important

Publid Date: 2022-03-22T00:00:00Z

Links: CVE-2022-0759 - Bugzilla