CVE-2022-2385: aws-iam-authenticator allow-listed IAM identity may be able to modify their username, escalate privileges before v0.5.9
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.48425%
CWE
Published
7/13/2022
Updated
4/13/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sigs.k8s.io/aws-iam-authenticator | go | < 0.5.9 | 0.5.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing duplicate query parameter validation
in the authentication flow. The patch introduced validateDuplicateParameters()
to address this. The Verify
function in token.go
was vulnerable because it processed query parameters (via the 'for key, values := range queryParams' loop) without first checking for duplicates. Attackers could exploit this by submitting multiple instances of security-sensitive parameters (like X-Amz-Credential
) to manipulate the authentication process
. The added test case in token_test.go
explicitly tests for duplicate parameter rejection, confirming this was the attack vector.