AZL-34277

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34277.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-34277

Upstream

CVE-2022-23551

Published

2022-12-21T20:15:09Z

Modified

2026-04-21T04:27:05.215913Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L CVSS Calculator

Summary

CVE-2022-23551 affecting package nmi for versions less than 1.8.17-1

Details

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: /metadata/identity\oauth2\token/) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-23551

Affected packages

Azure Linux:2 / nmi

Package

Name: nmi
Purl: pkg:rpm/azure-linux/nmi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.17-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34277.json"