{"api_version":"1","generated_at":"2026-04-22T19:06:50+00:00","cve":"CVE-2022-1902","urls":{"html":"https://cve.report/CVE-2022-1902","api":"https://cve.report/api/cve/CVE-2022-1902.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-1902","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-1902"},"summary":{"title":"CVE-2022-1902","description":"A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-09-01 21:15:00","updated_at":"2023-02-12 22:15:00"},"problem_types":["CWE-497"],"metrics":[],"references":[{"url":"https://github.com/stackrox/stackrox/pull/1803","name":"https://github.com/stackrox/stackrox/pull/1803","refsource":"MISC","tags":[],"title":"ROX-10845: Refactor notifier scrubbing by mtodor · Pull Request #1803 · stackrox/stackrox · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:5188","name":"https://access.redhat.com/errata/RHSA-2022:5188","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:5189","name":"https://access.redhat.com/errata/RHSA-2022:5189","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2022-1902","name":"https://access.redhat.com/security/cve/CVE-2022-1902","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2090957","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2090957","refsource":"MISC","tags":[],"title":"2090957 – (CVE-2022-1902) CVE-2022-1902 stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:5132","name":"https://access.redhat.com/errata/RHSA-2022:5132","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-1902","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1902","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"1902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"advanced_cluster_security","cpe6":"3.68","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"kubernates","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"1902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"advanced_cluster_security","cpe6":"3.69","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"kubernates","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"1902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"advanced_cluster_security","cpe6":"3.70","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"kubernates","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-1902","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-497","cweId":"CWE-497"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Red Hat Advanced Cluster Security for Kubernetes","version":{"version_data":[{"version_affected":"=","version_value":"Red Hat Advanced Cluster Security for Kubernetes 3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2090957","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2090957"},{"url":"https://access.redhat.com/security/cve/CVE-2022-1902","refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2022-1902"},{"url":"https://github.com/stackrox/stackrox/pull/1803","refsource":"MISC","name":"https://github.com/stackrox/stackrox/pull/1803"}]}},"nvd":{"publishedDate":"2022-09-01 21:15:00","lastModifiedDate":"2023-02-12 22:15:00","problem_types":["CWE-497"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:advanced_cluster_security:3.68:*:*:*:*:kubernates:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:advanced_cluster_security:3.69:*:*:*:*:kubernates:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:advanced_cluster_security:3.70:*:*:*:*:kubernates:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}