An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.
References
Link | Resource |
---|---|
https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 | Third Party Advisory |
https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 - Third Party Advisory |
19 May 2022, 18:30
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-74 | |
CVSS |
v2 : v3 : |
v2 : 6.0
v3 : 6.6 |
CPE | cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 - Third Party Advisory |
11 May 2022, 17:20
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-05-11 16:15
Updated : 2024-11-21 06:47
NVD link : CVE-2022-22975
Mitre link : CVE-2022-22975
CVE.ORG link : CVE-2022-22975
JSON object : View
Products Affected
vmware
- pinniped
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')