github.com/Azure/aad-pod-identity is vulnerable to information disclosure. The vulnerability exists because server.go
does not properly handle invalid token requests, allowing an attacker to bypass the NMI validation and send the token to IMDS in the cluster through the token request made with backslashes such as /metadata/identity\oauth2\token/
.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/azure/aad-pod-identity | le | v1.8.12 | |
github.com/azure/aad-pod-identity | le | v1.8.12 |