Miggo Logo
Miggo Vulnerability Database
CVE-2022-2385

CVE-2022-2385: aws-iam-authenticator allow-listed IAM identity may be able to modify their username, escalate privileges before v0.5.9

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2385
GHSA ID
GHSA-pp3f-98qg-5g75
EPSS Score
0.48425%
CWE
CWE-20
Published
7/13/2022
Updated
4/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sigs.k8s.io/aws-iam-authenticatorgo< 0.5.90.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing duplicate query parameter validation in the authentication flow. The patch introduced validateDuplicateParameters() to address this. The Verify function in token.go was vulnerable because it processed query parameters (via the 'for key, values := range queryParams' loop) without first checking for duplicates. Attackers could exploit this by submitting multiple instances of security-sensitive parameters (like X-Amz-Credential) to manipulate the authentication process. The added test case in token_test.go explicitly tests for duplicate parameter rejection, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in *ws-i*m-*ut**nti**tor w**r* *n *llow-list** I*M i**ntity m*y ** **l* to mo*i*y t**ir us*rn*m* *n* *s**l*t* privil***s.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *upli**t* qu*ry p*r*m*t*r `v*li**tion` in t** *ut**nti**tion *low. T** p*t** intro*u*** `v*li**t**upli**t*P*r*m*t*rs()` to ***r*ss t*is. T** `V*ri*y` *un*tion in `tok*n.*o` w*s vuln*r**l* ****us* it pro**ss** qu