CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)

[pacoxu]

What happened?

A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.

There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.

What did you expect to happen?

NA

How can we reproduce it (as minimally and precisely as possible)?

NA

Anything else we need to know?

Affected Versions:

• kube-apiserver v1.25.0
• kube-apiserver v1.24.0 - v1.24.4
• kube-apiserver v1.23.0 - v1.23.10
• kube-apiserver v1.22.0 - v1.22.14
• kube-apiserver <= v1.21.?

Fixed Versions:

• kube-apiserver v1.25.1
• kube-apiserver v1.24.5
• kube-apiserver v1.23.11
• kube-apiserver v1.22.14

This vulnerability was reported by Nicolas Joly & Weinong Wang from Microsoft

CVSS Rating: Medium (5.1) CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

[github-actions]

Hi @pacoxu,
Thanks for opening an issue!
We will look into it as soon as possible.

Details

Instructions for interacting with me using comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the [gh-ci-bot](https://github.com/wzshiming/gh-ci-bot) repository.