Skip to main content

Improper Restriction of Security Token Assignment


Severity Medium
Score 5.3/10


aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS, allowing a pod in the cluster to access identities that it shouldn't have access to. If using the AKS pod-managed identities add-on, no action is required. This vulnerability affects the package versions prior to 1.8.13.

  • LOW
  • HIGH
  • HIGH
  • LOW
  • LOW

CWE-1259 - Improper Restriction of Security Token Assignment

The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.

Advisory Timeline

  • Published