CVE-2022-23551

AAD Pod Identity obtaining token with backslash

Description

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.

References

Link	Tags
https://github.com/Azure/aad-pod-identity/security/advisories/GHSA-p82q-rxpm-hjpc	third party advisory
https://github.com/Azure/aad-pod-identity/commit/7e01970391bde6c360d077066ca17d059204cb5d	third party advisory patch
https://github.com/Azure/aad-pod-identity/releases/tag/v1.8.13	third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-23551?: CVE-2022-23551 has been scored as a medium severity vulnerability.
How to fix CVE-2022-23551?: To fix CVE-2022-23551, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-23551 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-23551 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23551?: CVE-2022-23551 affects Azure aad-pod-identity.

Description

Category

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions