Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Improper URL Validation causes MCC Lens Extension to open external programs

Release Date

2022/02/03

Overview

Improper validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver returning a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via this server.

Affected Products

MCC Lens Extension prior to v3.1.1

Vulnerability Information

CVE Identifier

CVE-2022-0484

CVSSv3.1

8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs

CWE-20

Mitigations

Upgrade to v3.1.1

Work arounds

None

Acknowledgements

Found by Mirantis PSIRT

Disclosure Timeline

2022/02/3: public advisory released

2022/02/3: fixed in https://github.com/Mirantis/lens-extension-cc/commit/23330ad9181022157ee51fedbdfb4d45b848cf49

2022/02/3: Mirantis PSIRT reported vulnerability to Lens team