Lucene search

GoogleOSV:BIT-PINNIPED-2022-31677

HistoryMar 06, 2024 - 11:01 a.m.

BIT-pinniped-2022-31677

2024-03-0611:01:40

Google

osv.dev

security issue

access token

refresh token

kubernetes

pinniped supervisor

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

6.7 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.9%

JSON

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

CPENameOperatorVersion
pinnipedge0.3.0
pinnipedlt0.19.0

CPE	Name	Operator	Version
	pinniped	ge	0.3.0
	pinniped	lt	0.19.0

References

github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

6.7 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for OSV:BIT-PINNIPED-2022-31677