CVE-2022-4975
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript code in the Red Hat Advanced Cluster Security portal through cross-site scripting (XSS). Attackers with some control over data displayed in table views can inject malicious scripts that execute in users' browsers. This affects organizations using vulnerable versions of RHACS.
💻 Affected Systems
- Red Hat Advanced Cluster Security (RHACS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, exfiltrate sensitive cluster data, or deploy malicious containers in the Kubernetes environment.
Likely Case
Attackers with some access to RHACS data could steal session tokens or credentials from authenticated users, potentially gaining unauthorized access to the security portal.
If Mitigated
With proper input validation and output encoding, the risk is limited to authenticated users who view maliciously crafted data, but impact would be contained to individual sessions.
🎯 Exploit Status
Exploitation requires some control over data that gets rendered in RHACS table views, typically requiring some level of access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RHACS 3.71 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2022-4975
Restart Required: No
Instructions:
1. Update RHACS to version 3.71 or later. 2. Follow Red Hat's upgrade documentation for RHACS. 3. Verify the portal no longer uses innerHTML for table rendering.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd a strict Content Security Policy header to prevent inline script execution
Add 'Content-Security-Policy: script-src 'self'' to web server headers
🧯 If You Can't Patch
- Restrict access to RHACS portal to trusted users only using network segmentation
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check RHACS version via portal UI or command line. Versions 3.70 and earlier are vulnerable.Check Version:
oc get pods -n stackrox | grep central | awk '{print $2}' | cut -d'-' -f2Verify Fix Applied:
After updating to 3.71+, verify that table rendering no longer uses innerHTML by inspecting page source.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in portal logs
- Suspicious data patterns in config management tables
Network Indicators:
- Unexpected outbound connections from RHACS portal to external domains
SIEM Query:
source="rhacs-logs" AND (message="*innerHTML*" OR message="*XSS*" OR message="*script*" AND severity="ERROR")