CVE Vulnerability

CVE-2022-28224

Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.tigera.io/security-bulletins-tta-2022-001/ Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:tigera:calico_enterprise:3.12.0:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*
cpe:2.3:o:tigera:calico_os:*:*:*:*:*:*:*:*
cpe:2.3:o:tigera:calico_os:*:*:*:*:*:*:*:*
cpe:2.3:o:tigera:calico_os:*:*:*:*:*:*:*:*
Information

Published : 2022-06-06 06:15

Updated : 2022-06-14 03:32

NVD link : CVE-2022-28224

Mitre link : CVE-2022-28224

Products Affected
No products.
CWE
CWE-20