Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-2385: AccessKeyID validation bypass #472

Closed
micahhausler opened this issue Jul 11, 2022 · 5 comments
Closed

CVE-2022-2385: AccessKeyID validation bypass #472

micahhausler opened this issue Jul 11, 2022 · 5 comments
Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug.

Comments

@micahhausler
Copy link
Member

micahhausler commented Jul 11, 2022

CVSS Rating: High

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

Am I vulnerable?

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

Affected Versions

  • aws-iam-authenticator v0.5.2 - v0.5.8

How do I mitigate this vulnerability?

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

Fixed Versions

This issue was fixed in #469

  • aws-iam-authenticator v0.5.9

Detection

This issue affected the logged identity, and is not discernible from valid requests.

Acknowledgements

This vulnerability was reported by Gafnit Amiga from Lightspin.

/area security
/kind bug
/committee security-response
/label official-cve-feed

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 11, 2022
@k8s-ci-robot
Copy link
Contributor

@micahhausler: The label(s) `/label official-cve-feed

cannot be applied. These labels are supported:api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor`

In response to this:

CVSS Rating: High

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

Am I vulnerable?

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

Affected Versions

  • aws-iam-authenticator v0.5.2 - v0.5.8

How do I mitigate this vulnerability?

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

Fixed Versions

  • aws-iam-authenticator v0.5.9

Detection

This issue affected the logged identity, and is not discernable from valid requests.

Acknowledgements

This vulnerability was reported by Gafnit Amiga from Lightspin.

/area security
/kind bug
/committee security-response
/label official-cve-feed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the committee/security-response Denotes an issue or PR intended to be handled by the product security committee. label Jul 11, 2022
@adcallis
Copy link

Hey there @micahhausler - Are you sure that is the correct CVE? When I go to NVD or other sources they are all erroring out on that ID.

@pralaydesai
Copy link

@micahhausler +1 to what @adcallis said. Is correct CVR mentioned or assigned?

@micahhausler
Copy link
Member Author

I used Mitre's new API-based reservation system, and the CVE details aren't yet published

@micahhausler
Copy link
Member Author

Merged CVE details in CVEProject/cvelist#6448, viewable at https://www.cve.org/CVERecord?id=CVE-2022-2385

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

4 participants