CVE Vulnerability

CVE-2022-22975

An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

6.6 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*
Information

Published : 2022-05-11 04:15

Updated : 2022-05-19 06:30

NVD link : CVE-2022-22975

Mitre link : CVE-2022-22975

Products Affected
No products.
CWE
CWE-74