Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02OXAzLXhwMzctZjY5Ms015g

Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).

Permalink: https://github.com/advisories/GHSA-69p3-xp37-f692
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OXAzLXhwMzctZjY5Ms015g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-69p3-xp37-f692, CVE-2022-0759
References:

Repository: https://github.com/ManageIQ/kubeclient
Blast Radius: 25.2

Affected Packages

rubygems:kubeclient

Dependent packages: 51
Dependent repositories: 1,294
Downloads: 30,703,642 total
Affected Version Ranges: < 4.9.3
Fixed in: 4.9.3
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.1, 2.5.2, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.9.2
All unaffected versions: 4.9.3, 4.10.0, 4.10.1, 4.11.0