Vulnerability-Lookup

CVE-2022-31677 (GCVE-0-2022-31677)

Vulnerability from cvelistv5 – Published: 2022-08-29 14:03 – Updated: 2024-08-03 07:26

Summary

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

Severity ?

No CVSS data available.

CWE

Insufficient Session Expiration issue

Assigner

vmware

References

URL

Tags

https://github.com/vmware-tanzu/pinniped/security…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Pinniped Supervisor	Affected: Pinniped Supervisor (before v0.19.0)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:26:01.043Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pinniped Supervisor",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Pinniped Supervisor (before v0.19.0)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Insufficient Session Expiration issue",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-29T14:03:02",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@vmware.com",
          "ID": "CVE-2022-31677",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pinniped Supervisor",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Pinniped Supervisor (before v0.19.0)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Insufficient Session Expiration issue"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9",
              "refsource": "MISC",
              "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2022-31677",
    "datePublished": "2022-08-29T14:03:02",
    "dateReserved": "2022-05-25T00:00:00",
    "dateUpdated": "2024-08-03T07:26:01.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.3.0\", \"versionEndExcluding\": \"0.19.0\", \"matchCriteriaId\": \"CBB32186-1AC4-487B-93E7-8E1F70DE3966\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado un problema de caducidad de sesi\\u00f3n insuficiente en el supervisor Pinniped (versiones anteriores a 0.19.0). Un usuario que es autenticado en clusters Kubernetes por medio del Supervisor Pinniped podr\\u00eda usar su token de acceso para continuar su sesi\\u00f3n m\\u00e1s all\\u00e1 de lo que el uso apropiado de su token de actualizaci\\u00f3n podr\\u00eda permitir\"}]",
      "id": "CVE-2022-31677",
      "lastModified": "2024-11-21T07:05:06.457",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
      "published": "2022-08-29T15:15:10.867",
      "references": "[{\"url\": \"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9\", \"source\": \"security@vmware.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@vmware.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-613\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31677\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2022-08-29T15:15:10.867\",\"lastModified\":\"2024-11-21T07:05:06.457\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema de caducidad de sesi\u00f3n insuficiente en el supervisor Pinniped (versiones anteriores a 0.19.0). Un usuario que es autenticado en clusters Kubernetes por medio del Supervisor Pinniped podr\u00eda usar su token de acceso para continuar su sesi\u00f3n m\u00e1s all\u00e1 de lo que el uso apropiado de su token de actualizaci\u00f3n podr\u00eda permitir\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.3.0\",\"versionEndExcluding\":\"0.19.0\",\"matchCriteriaId\":\"CBB32186-1AC4-487B-93E7-8E1F70DE3966\"}]}]}],\"references\":[{\"url\":\"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9\",\"source\":\"security@vmware.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GHSA-RP4V-HHM6-RCV9

Vulnerability from github – Published: 2022-09-01 22:24 – Updated: 2022-09-08 13:55

Summary

Pinniped Supervisor Insufficient Session Expiration vulnerability

Details

Impact

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

Access tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token's advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user's account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user's group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.

Access tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user's backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.

Note that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.

Practical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.

Patches

The impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.

This vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.

Workarounds

There are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.

References

The issue was fixed by PR #1264.

For more information

If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.

Severity ?

4.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.pinniped.dev"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-01T22:24:05Z",
    "nvd_published_at": "2022-08-29T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.\n\nAccess tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token\u0027s advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user\u0027s account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user\u0027s group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.\n\nAccess tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user\u0027s backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.\n\nNote that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.\n\nPractical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.\n\n### Patches\n\nThe impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.\n\nThis vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.\n\n### Workarounds\n\nThere are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.\n\n### References\n\nThe issue was fixed by PR [#1264](https://github.com/vmware-tanzu/pinniped/pull/1264).\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo\u0027s [README.md](https://github.com/vmware-tanzu/pinniped/blob/main/README.md#discussion).\n",
  "id": "GHSA-rp4v-hhm6-rcv9",
  "modified": "2022-09-08T13:55:41Z",
  "published": "2022-09-01T22:24:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/pull/1264"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vmware-tanzu/pinniped"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/releases/tag/v0.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pinniped Supervisor Insufficient Session Expiration vulnerability"
}

bit-pinniped-2022-31677

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:01

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "pinniped",
        "purl": "pkg:bitnami/pinniped"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31677"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.",
  "id": "BIT-pinniped-2022-31677",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:01:40.783Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31677"
    }
  ],
  "schema_version": "1.5.0"
}

GSD-2022-31677

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-31677

Aliases

CVE-2022-31677

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31677",
    "description": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.",
    "id": "GSD-2022-31677"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31677"
      ],
      "details": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.",
      "id": "GSD-2022-31677",
      "modified": "2023-12-13T01:19:18.270929Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@vmware.com",
        "ID": "CVE-2022-31677",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Pinniped Supervisor",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Pinniped Supervisor (before v0.19.0)"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Insufficient Session Expiration issue"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9",
            "refsource": "MISC",
            "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.3.0 \u003c0.19.0",
          "affected_versions": "All versions starting from 0.3.0 before 0.19.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-09-01",
          "description": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.",
          "fixed_versions": [
            "0.19.0"
          ],
          "identifier": "CVE-2022-31677",
          "identifiers": [
            "GHSA-rp4v-hhm6-rcv9",
            "CVE-2022-31677"
          ],
          "not_impacted": "All versions before 0.3.0, all versions starting from 0.19.0",
          "package_slug": "go/go.pinniped.dev",
          "pubdate": "2022-09-01",
          "solution": "Upgrade to version 0.19.0 or above.",
          "title": "Pinniped Supervisor Insufficient Session Expiration vulnerability",
          "urls": [
            "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31677",
            "https://github.com/vmware-tanzu/pinniped/pull/1264",
            "https://github.com/vmware-tanzu/pinniped/releases/tag/v0.19.0",
            "https://github.com/advisories/GHSA-rp4v-hhm6-rcv9"
          ],
          "uuid": "ca16560a-e25b-4f1d-aa66-caf25c541133"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.19.0",
                "versionStartIncluding": "0.3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@vmware.com",
          "ID": "CVE-2022-31677"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-613"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2022-09-07T18:41Z",
      "publishedDate": "2022-08-29T15:15Z"
    }
  }
}

FKIE_CVE-2022-31677

Vulnerability from fkie_nvd - Published: 2022-08-29 15:15 - Updated: 2024-11-21 07:05

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security@vmware.com	https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9	Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9	Third Party Advisory

Impacted products

	Vendor	Product	Version
	vmware	pinniped	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CBB32186-1AC4-487B-93E7-8E1F70DE3966",
              "versionEndExcluding": "0.19.0",
              "versionStartIncluding": "0.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema de caducidad de sesi\u00f3n insuficiente en el supervisor Pinniped (versiones anteriores a 0.19.0). Un usuario que es autenticado en clusters Kubernetes por medio del Supervisor Pinniped podr\u00eda usar su token de acceso para continuar su sesi\u00f3n m\u00e1s all\u00e1 de lo que el uso apropiado de su token de actualizaci\u00f3n podr\u00eda permitir"
    }
  ],
  "id": "CVE-2022-31677",
  "lastModified": "2024-11-21T07:05:06.457",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-29T15:15:10.867",
  "references": [
    {
      "source": "security@vmware.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31677 (GCVE-0-2022-31677)

GHSA-RP4V-HHM6-RCV9

Impact

Patches

Workarounds

References

For more information

bit-pinniped-2022-31677

Vulnerability from bitnami_vulndb

GSD-2022-31677

FKIE_CVE-2022-31677

Tags

Sightings

Nomenclature