Miggo Logo

CVE-2022-2385: aws-iam-authenticator allow-listed IAM identity may be able to modify their username, escalate privileges before v0.5.9

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.48425%
Published
7/13/2022
Updated
4/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sigs.k8s.io/aws-iam-authenticatorgo< 0.5.90.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing duplicate query parameter validation in the authentication flow. The patch introduced validateDuplicateParameters() to address this. The Verify function in token.go was vulnerable because it processed query parameters (via the 'for key, values := range queryParams' loop) without first checking for duplicates. Attackers could exploit this by submitting multiple instances of security-sensitive parameters (like X-Amz-Credential) to manipulate the authentication process. The added test case in token_test.go explicitly tests for duplicate parameter rejection, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in *ws-i*m-*ut**nti**tor w**r* *n *llow-list** I*M i**ntity m*y ** **l* to mo*i*y t**ir us*rn*m* *n* *s**l*t* privil***s.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *upli**t* qu*ry p*r*m*t*r `v*li**tion` in t** *ut**nti**tion *low. T** p*t** intro*u*** `v*li**t**upli**t*P*r*m*t*rs()` to ***r*ss t*is. T** `V*ri*y` *un*tion in `tok*n.*o` w*s vuln*r**l* ****us* it pro**ss** qu