PT-2022-20511 · Kubeedge · Kubeedge
Adam Korczynski
+1
·
Published
2022-06-25
·
Updated
2024-08-21
·
CVE-2022-31076
CVSS v3.1
4.2
Medium
| Vector | AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
KubeEdge versions prior to 1.11.0
KubeEdge versions prior to 1.10.1
KubeEdge versions prior to 1.9.3
Description
A malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. The attack is limited to the local host network and requires an attacker to be an authenticated user of the Cloud. This issue only affects users who have turned on the unixsocket switch in the config file cloudcore.yaml.
Recommendations
For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue.
For versions prior to 1.10.1, update to version 1.10.1 to resolve the issue.
For versions prior to 1.9.3, update to version 1.9.3 to resolve the issue.
As a temporary workaround, consider disabling the unixsocket switch of CloudHub in the config file cloudcore.yaml.
Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kubeedge