CVE-2022-22975
MEDIUMPinniped 0.9.0-0.16.9 - LDAP Query Injection via Common Name Manipulation
Title source: llmDescription
An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348
Scores
CVSS v3
6.6
EPSS
0.0048
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-74
Status
published
Products (1)
vmware/pinniped
0.9.0 - 0.17.0
Published
May 11, 2022
Tracked Since
Feb 18, 2026