CVE Vulnerabilities

CVE-2022-0675

Improper Validation of Unsafe Equivalence in Input

Published: Mar 02, 2022 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
9.8 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state.

Weakness

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

Affected Software

Name Vendor Start Version End Version
Firewall Puppet * 3.4.0 (excluding)
Red Hat OpenStack Platform 16.1 RedHat puppet-firewall-0:3.4.0-1.94f707cgit.el8ost *
Red Hat OpenStack Platform 16.2 RedHat puppet-firewall-0:3.4.0-1.94f707cgit.el8ost *
Puppet-module-puppetlabs-firewall Ubuntu bionic *
Puppet-module-puppetlabs-firewall Ubuntu impish *
Puppet-module-puppetlabs-firewall Ubuntu kinetic *
Puppet-module-puppetlabs-firewall Ubuntu lunar *
Puppet-module-puppetlabs-firewall Ubuntu mantic *
Puppet-module-puppetlabs-firewall Ubuntu trusty *
Puppet-module-puppetlabs-firewall Ubuntu xenial *

Extended Description

Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no “” tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject “” and trigger XSS.

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

References