REDHAT-BUG-2090957
First published: Fri May 27 2022(Updated: )
In Red Hat Advanced Cluster Security for Kubernetes, it was found that Notifier secrets were not properly sanitized in the GraphQL API. Authenticated ACS users could exploit this by retrieving Notifiers from the GraphQL API, revealing secrets that could then be used to escalate their privileges. <a href="https://github.com/stackrox/stackrox/pull/1803">https://github.com/stackrox/stackrox/pull/1803</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Advanced Cluster Security |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of REDHAT-BUG-2090957?
The severity of REDHAT-BUG-2090957 is categorized as a medium risk due to the potential for privilege escalation.
How can I mitigate the vulnerability REDHAT-BUG-2090957?
Mitigation for REDHAT-BUG-2090957 involves updating to the latest patched version of Red Hat Advanced Cluster Security for Kubernetes.
Who is affected by REDHAT-BUG-2090957?
Authenticated users of Red Hat Advanced Cluster Security for Kubernetes are affected by REDHAT-BUG-2090957.
What are the potential consequences of exploiting REDHAT-BUG-2090957?
Exploiting REDHAT-BUG-2090957 could allow an attacker to retrieve sensitive Notifier secrets and escalate their privileges.
Is there a workaround for REDHAT-BUG-2090957?
Currently, there are no specific workarounds suggested for REDHAT-BUG-2090957 other than applying the security update.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1902
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat advanced cluster security