Improper URL Validation causes MCC Lens Extension to open external programs

Release Date

2022/02/03

Overview

Improper validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver returning a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via this server.

Affected Products

MCC Lens Extension prior to v3.1.1

Vulnerability Information

CVE Identifier

CVE-2022-0484

CVSSv3.1

8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs

CWE-20

Mitigations

Upgrade to v3.1.1

Work arounds

None

Acknowledgements

Found by Mirantis PSIRT

Disclosure Timeline

2022/02/3: public advisory released

2022/02/3: fixed in https://github.com/Mirantis/lens-extension-cc/commit/23330ad9181022157ee51fedbdfb4d45b848cf49

2022/02/3: Mirantis PSIRT reported vulnerability to Lens team

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0005.md

0005.md

Improper URL Validation causes MCC Lens Extension to open external programs

Release Date

Overview

Affected Products

Vulnerability Information

CVE Identifier

CVSSv3.1

CWEs

Mitigations

Work arounds

Acknowledgements

Disclosure Timeline

Files

0005.md

Latest commit

History

0005.md

File metadata and controls

Improper URL Validation causes MCC Lens Extension to open external programs

Release Date

Overview

Affected Products

Vulnerability Information

CVE Identifier

CVSSv3.1

CWEs

Mitigations

Work arounds

Acknowledgements

Disclosure Timeline