Hello Kubernetes Community,
A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.
This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385
Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.
Upgrading to v0.5.9 mitigates this vulnerability.
Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.
This issue affected the logged identity, and is not discernible from valid requests.
See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472
This vulnerability was reported by Gafnit Amiga from Lightspin
Micah Hausler
Principal Engineer
Amazon Web Services