Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AAD Pod Identity obtaining token with backslash
Vulnerability Description
aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
Vulnerability Type
CWE-1259
Vulnerability Title
AAD Pod Identity 安全漏洞
Vulnerability Description
Microsoft AAD Pod Identity是美国微软(Microsoft)公司的 将 Azure Active Directory 身份分配给 Kubernetes 应用程序。 AAD Pod Identity 1.8.13之前版本存在安全漏洞,该漏洞源于NMI组件根据正则表达式拦截和验证令牌请求,在请求中使用反斜杠发出的令牌请求将绕过NMI验证并发送到 IMDS,从而允许集群中的pod访问它不应该访问的身份。
CVSS Information
N/A
Vulnerability Type
N/A