IBMDA3BD6A322362DB9EA27EC83500FF79BD7885DE3B762AEB3DA4AF9DAA3256D91Security Bulletin: IBM Robotic Process Automation for Cloud Pak may be vulnerable to server-side forgery requests due to Kubernetes kube-apiserver (CVE-2022-3172)
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
0.001 Low
EPSS
Percentile
28.3%
Summary
Kubernetes kube-apiserver is used by IBM Robotic Process Automation for Cloud Pak as part of base container images. (CVE-2022-3172)
Vulnerability Details
CVEID:CVE-2022-3172
**DESCRIPTION:**Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the clientโs API server credentials to third parties.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Robotic Process Automation for Cloud Pak | < 21.0.6 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Robotic Process Automation for Cloud Pak | < 21.0.6 | Update to 21.0.6 or higher using the following instructions. |
Workarounds and Mitigations
None
Affected configurations
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
0.001 Low
EPSS
Percentile
28.3%