Improper URL Validation causes MCC Lens Extension to open external programs
Release Date
2022/02/03
Overview
Improper validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver returning a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via this server.
Affected Products
MCC Lens Extension prior to v3.1.1
Vulnerability Information
CVE Identifier
CVE-2022-0484
CVSSv3.1
8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWEs
CWE-20
Mitigations
Upgrade to v3.1.1
Work arounds
None
Acknowledgements
Found by Mirantis PSIRT
Disclosure Timeline
2022/02/3: public advisory released
2022/02/3: fixed in https://github.com/Mirantis/lens-extension-cc/commit/23330ad9181022157ee51fedbdfb4d45b848cf49
2022/02/3: Mirantis PSIRT reported vulnerability to Lens team