LDAP Injection Vulnerability in Pinniped Supervisor by VMware Tanzu
CVE-2022-22975

6.6MEDIUM

Key Information:

Vendor

Vmware

Status
Vendor
CVE Published:
11 May 2022

What is CVE-2022-22975?

A vulnerability has been identified in the Pinniped Supervisor, specifically related to the LADPIdentityProvider and ActiveDirectoryIdentityProvider components. This issue arises when an attacker manipulates their user entry's common name (CN) to include special characters. Such manipulation can exploit the Supervisor's LDAP query, allowing unauthorized access to group memberships in Kubernetes. This jeopardizes the security of the cluster by enabling attackers to gain elevated privileges through crafted LDAP queries.

Affected Version(s)

Pinniped Pinniped versions before v0.17.0

References

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.