search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
562 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/Azure/aad-pod-identity: GHSA-p82q-rxpm-hjpc #1181

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-p82q-rxpm-hjpc, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/Azure/aad-pod-identity 1.8.13 < 1.8.13

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.8.13
    packages:
      - package: github.com/Azure/aad-pod-identity
description: |
    ### Impact
    _What kind of vulnerability is it? Who is impacted?_
    The [NMI](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/) component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to [IMDS](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows) allowing a pod in the cluster to access identities that it shouldn't have access to.

    ### Patches
    _Has the problem been patched? What versions should users upgrade to?_
    - We analyzed this bug and determined that we needed to fix it. This fix has been included in AAD Pod Identity release [v1.8.13](https://github.com/Azure/aad-pod-identity/releases/tag/v1.8.13)
    - If using the [AKS pod-managed identities add-on](https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity), no action is required. The clusters should now be running the `v1.8.13` release.

    ### Workarounds
    _Is there a way for users to fix or remediate the vulnerability without upgrading?_

    ### References
    _Are there any links users can visit to find out more?_

    ### For more information

    If you have any questions or comments about this advisory:

    Open an issue in [Azure/aad-pod-identity](https://github.com/Azure/aad-pod-identity)
ghsas:
  - GHSA-p82q-rxpm-hjpc
gopherbot commented 1 year ago

Change https://go.dev/cl/459035 mentions this issue: data/excluded: batch add GO-2022-1182, GO-2022-1181, GO-2022-1179, GO-2022-1173, GO-2022-1172, GO-2022-1171

gopherbot commented 4 months ago

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

gopherbot commented 2 months ago

Change https://go.dev/cl/607232 mentions this issue: data/reports: unexclude 20 reports (30)