Lucene search
Veracode Vulnerability DatabaseVERACODE:38559HistoryDec 22, 2022 - 2:33 a.m.
Information Disclosure
2022-12-2202:33:24
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
17
azure
aad-pod-identity
information disclosure
vulnerability
server.go
token requests
nmi validation
imds
cluster
backslashes
token request.
0.001 Low
EPSS
Percentile
29.1%
github.com/Azure/aad-pod-identity is vulnerable to information disclosure. The vulnerability exists because server.go does not properly handle invalid token requests, allowing an attacker to bypass the NMI validation and send the token to IMDS in the cluster through the token request made with backslashes such as /metadata/identity\oauth2\token/.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/azure/aad-pod-identity | le | v1.8.12 | |
| github.com/azure/aad-pod-identity | le | v1.8.12 |
Related
nvd
nvd
CVE-2022-23551
2022-12-21 20:15:09
cbl_mariner
cbl_mariner
CVE-2022-23551 affecting package nmi for versions less than 1.8.17-1
2024-04-09 20:48:36
cve
cve
CVE-2022-23551
2022-12-21 20:15:09
gitlab
gitlab
Improper Restriction of Security Token Assignment
2022-12-21 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-12-21 20:15:00
github
github
AAD Pod Identity obtaining token with backslash
2022-12-21 18:48:22
cvelist
cvelist
CVE-2022-23551 AAD Pod Identity obtaining token with backslash
2022-12-21 19:50:15
osv
osv
AAD Pod Identity obtaining token with backslash
2022-12-21 18:48:22
CVE-2022-23551
2022-12-21 20:15:09
redhatcve
redhatcve
CVE-2022-23551
2022-12-22 20:36:01