[Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

463 views
Skip to first unread message

Hausler, Micah

unread,
Jul 11, 2022, 12:40:08 PM7/11/22
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

 

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. 

This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

Am I vulnerable?

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

Affected Versions

  • v0.5.2 - v0.5.8

How do I mitigate this vulnerability?

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

Fixed Versions

  • aws-iam-authenticator v0.5.9

Detection

This issue affected the logged identity, and is not discernible from valid requests.

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472

Acknowledgements

This vulnerability was reported by Gafnit Amiga from Lightspin

 

Micah Hausler

Principal Engineer

Amazon Web Services

 

Reply all
Reply to author
Forward
0 new messages