CVE-2022-31677

CVE-2022-31677 is a medium-severity security vulnerability in go.pinniped.dev (go), affecting versions >= 0.3.0, < 0.19.0. It is fixed in 0.19.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Pinniped Supervisor Insufficient Session Expiration vulnerability

Workarounds

There are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.

References

The issue was fixed by PR #1264.

For more information

If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.

Impact

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

Access tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token's advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user's account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user's group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.

Access tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user's backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.

Note that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.

Practical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.

CVE-2022-31677 has a CVSS score of 4.9 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.19.0); upgrading removes the vulnerable code path.

Affected versions

go.pinniped.dev (>= 0.3.0, < 0.19.0)

Security releases

go.pinniped.dev → 0.19.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.

This vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.

Frequently Asked Questions

  1. What is CVE-2022-31677? CVE-2022-31677 is a medium-severity security vulnerability in go.pinniped.dev (go), affecting versions >= 0.3.0, < 0.19.0. It is fixed in 0.19.0.
  2. How severe is CVE-2022-31677? CVE-2022-31677 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of go.pinniped.dev are affected by CVE-2022-31677? go.pinniped.dev (go) versions >= 0.3.0, < 0.19.0 is affected.
  4. Is there a fix for CVE-2022-31677? Yes. CVE-2022-31677 is fixed in 0.19.0. Upgrade to this version or later.
  5. Is CVE-2022-31677 exploitable, and should I be worried? Whether CVE-2022-31677 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-31677 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-31677? Upgrade go.pinniped.dev to 0.19.0 or later.

Stop the waste.
Protect your environment with Kodem.