An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.
References
Link | Resource |
---|---|
https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: vmware
Published: 2022-05-11T15:13:50
Updated: 2022-05-11T15:13:50
Reserved: 2022-01-10T00:00:00
Link: CVE-2022-22975
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-05-11T16:15:08.877
Modified: 2022-05-19T18:30:11.343
Link: CVE-2022-22975
JSON object: View
Redhat Information
No data.
CWE