oss-sec mailing list archives
[kubernetes] CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass
From: "Hausler, Micah" <mhausler () amazon com>
Date: Mon, 11 Jul 2022 16:42:12 +0000
Hello Kubernetes Community, A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385 Am I vulnerable? Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username. Affected Versions v0.5.2 - v0.5.8 How do I mitigate this vulnerability? Upgrading to v0.5.9 mitigates this vulnerability. Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames. Fixed Versions aws-iam-authenticator v0.5.9 Detection This issue affected the logged identity, and is not discernible from valid requests. Additional Details See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472 Acknowledgements This vulnerability was reported by Gafnit Amiga from Lightspin Micah Hausler Principal Engineer Amazon Web Services
Attachment:
smime.p7s
Description:
Current thread:
- [kubernetes] CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass Hausler, Micah (Jul 11)