Lucene search

[email protected]NVD:CVE-2022-28224

HistoryJun 06, 2022 - 6:15 p.m.

CVE-2022-28224

2022-06-0618:15:09

CWE-20

CWE-200

CWE-201

[email protected]

web.nvd.nist.gov

calico

route hijacking

floating ip

insufficient validation

compromised pod

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

EPSS

0.001

Percentile

32.7%

JSON

Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.

Affected configurations

Nvd

Node

tigeracalico_enterpriseRange<3.11.4

tigeracalico_enterpriseMatch3.12.0

tigeracalico_osRange<3.20.5

tigeracalico_osRange3.21.0–3.21.5

tigeracalico_osRange3.22.0–3.22.2

VendorProductVersionCPE
tigeracalico_enterprise*cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*
tigeracalico_enterprise3.12.0cpe:2.3:a:tigera:calico_enterprise:3.12.0:*:*:*:*:*:*:*
tigeracalico_os*cpe:2.3:o:tigera:calico_os:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tigera	calico_enterprise	*	cpe:2.3:a:tigera:calico_enterprise::::::::
tigera	calico_enterprise	3.12.0	cpe:2.3:a:tigera:calico_enterprise:3.12.0:::::::*
tigera	calico_os	*	cpe:2.3:o:tigera:calico_os::::::::