One Article Review
| Source |  CVE Liste |
|---|---|
| Identifiant | 8293495 |
| Date de publication | 2022-12-21 20:15:09 (vue: 2022-12-21 22:07:06) |
| Titre | CVE-2022-23551 |
| Texte | aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release. |
| Envoyé | Oui |
| Condensat | 2022 23551 `/metadata/identity aad access action active add aks allowing applications assigns azure backslash based been bypass case cluster clusters component cve deprecated directory example: fixed has have identities identity imds included intercepts issue kubernetes made managed nmi now oauth2 october pod regex release request requests required running sent should shouldn token token/` using validates validation version would |
| Tags | |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.