{"containers": {"cna": {"affected": [{"product": "AMQ Broker Operator", "vendor": "n/a", "versions": [{"status": "affected", "version": "AMQ Broker Operator 7.9.4 and prior"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-21T14:23:41", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089406#c4"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:17:00.931Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089406#c4"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-1833", "datePublished": "2022-06-21T14:23:41", "dateReserved": "2022-05-23T00:00:00", "dateUpdated": "2024-08-03T00:17:00.931Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:amq_broker:7.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "F0BEEB9A-A55D-4C42-9C9C-681E9D2E9350", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack."}, {"lang": "es", "value": "Se ha encontrado un fallo en AMQ Broker Operator versi\u00f3n 7.9.4, instalado por medio de la interfaz de usuario usando OperatorHub, en el que un usuario poco privilegiado que presenta acceso al espacio de nombres donde es desplegado el AMQ Operator presenta acceso a los derechos de edici\u00f3n de todo el cl\u00faster mediante la comprobaci\u00f3n de los secretos. La cuenta de servicio usada para construir el Operador da m\u00e1s permisos de los esperados y un atacante podr\u00eda beneficiarse de ello. Esto requiere al menos una cuenta de bajo privilegio ya comprometida o un ataque interno"}], "id": "CVE-2022-1833", "lastModified": "2024-11-21T06:41:34.267", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-21T15:15:08.380", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089406#c4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089406#c4"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Lukas Bauer (T-Systems International GmbH) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2022:5101", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "amq-broker-operator-container", "product_name": "Red Hat AMQ 7.10.0", "release_date": "2022-06-16T00:00:00Z"}], "bugzilla": {"description": "amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure", "id": "2089406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089406"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-276", "details": ["A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.", "A flaw was found in AMQ Broker Operator, installed via UI using the OperatorHub. In this vulnerability, a low-privilege user with access to the Operator deployed namespace has access to cluster-wide edit rights. This flaw allows an attacker to have full cluster management access."], "mitigation": {"lang": "en:us", "value": "In order to have these privileges correctly set in this version, opt for using the CLI method at https://access.redhat.com/documentation/en-us/red_hat_amq/7.4/html/deploying_amq_broker_on_openshift_container_platform/broker-operator-broker-ocp#operator-install-broker-ocp\nMake sure to use the latest available version in order to have access to the latest bug and security fixes."}, "name": "CVE-2022-1833", "public_date": "2022-06-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1833\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1833\nhttps://access.redhat.com/documentation/en-us/red_hat_amq/7.4/html/deploying_amq_broker_on_openshift_container_platform/broker-operator-broker-ocp"], "threat_severity": "Important"}