github.com/vmware-tanzu/pinniped is vulnerable to session fixation. The vulnerability exists due to an insufficient session expiration used in the validateAccessToken
function of token_exchange.go
, allowing an attacker to use the access token to continue the session without refreshing the token when authenticating to kubernetes clusters via the pinniped supervisor.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/vmware-tanzu/pinniped | le | v0.18.0 | |
github.com/vmware-tanzu/pinniped | le | v0.18.0 |