VYPR
← All advisories
High severityNVD Advisory· Published Jul 12, 2022· Updated Sep 16, 2024

AccessKeyID validation bypass

CVE-2022-2385

Description

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An allow-listed IAM identity in aws-iam-authenticator could modify their username to escalate privileges, affecting versions v0.5.2-v0.5.8.

Vulnerability

Description

The vulnerability in aws-iam-authenticator (CVE-2022-2385) stems from the insecure use of the AccessKeyID template parameter when constructing usernames. By supplying a crafted AccessKeyID, an authenticated IAM identity that is already allow-listed can modify their own username within the mapping to Kubernetes RBAC [2][4]. This bypasses the intended identity mapping logic.

Exploitation

Exploitation requires an attacker to have valid AWS IAM credentials that are already allow-listed in the cluster's authentication configuration. No additional network access is needed beyond the ability to authenticate. The attack is indistinguishable from legitimate requests because the AccessKeyID is normally trusted [4].

Impact

Successful exploitation allows the attacker to assume any username that is mapped to a higher privilege role, leading to privilege escalation within the Kubernetes cluster. The CVSS score is 7.1 (High) with impacts on confidentiality and integrity (C:H/I:H/A:N) [2][4].

Mitigation

Users should upgrade to aws-iam-authenticator v0.5.9 or later, which removes the use of AccessKeyID in username templates [3]. Until patched, the vulnerability can be mitigated by not using the {{AccessKeyID}} template parameter in username mappings [4].

References
  1. NVD - CVE-2022-2385
  2. Release v0.5.9 · kubernetes-sigs/aws-iam-authenticator
  3. [Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sigs.k8s.io/aws-iam-authenticatorGo
< 0.5.90.5.9

Affected products

9

Patches

1
029d1dcf2ec8

Add query parameter validation for multiple parameters

https://github.com/kubernetes-sigs/aws-iam-authenticatorNick TurnerJun 1, 2022via ghsa
commit
2 files changed · +16 0
  • pkg/token/token.go+15 0 modified
    @@ -473,6 +473,10 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
 		return nil, FormatError{"malformed query parameter"}
 	}
 
+	if err = validateDuplicateParameters(queryParams); err != nil {
+		return nil, err
+	}
+
 	for key, values := range queryParams {
 		if !parameterWhitelist[strings.ToLower(key)] {
 			return nil, FormatError{fmt.Sprintf("non-whitelisted query parameter %q", key)}
@@ -576,6 +580,17 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
 	return id, nil
 }
 
+func validateDuplicateParameters(queryParams url.Values) error {
+	duplicateCheck := make(map[string]bool)
+	for key, _ := range queryParams {
+		if _, found := duplicateCheck[strings.ToLower(key)]; found {
+			return FormatError{fmt.Sprintf("duplicate query parameter found: %q", key)}
+		}
+		duplicateCheck[strings.ToLower(key)] = true
+	}
+	return nil
+}
+
 func hasSignedClusterIDHeader(paramsLower *url.Values) bool {
 	signedHeaders := strings.Split(paramsLower.Get("x-amz-signedheaders"), ";")
 	for _, hdr := range signedHeaders {
  • pkg/token/token_test.go+1 0 modified
    @@ -190,6 +190,7 @@ func TestVerifyTokenPreSTSValidations(t *testing.T) {
 	validationSuccessTest(t, "aws", toToken(fmt.Sprintf("https://sts.ca-central-1.amazonaws.com/?action=GetCallerIdentity&x-amz-signedheaders=x-k8s-aws-id&x-amz-date=%s&x-amz-expires=60", timeStr)))
 	validationSuccessTest(t, "aws", toToken(fmt.Sprintf("https://sts.eu-west-1.amazonaws.com/?action=GetCallerIdentity&x-amz-signedheaders=x-k8s-aws-id&x-amz-date=%s&x-amz-expires=60", timeStr)))
 	validationSuccessTest(t, "aws", toToken(fmt.Sprintf("https://sts.sa-east-1.amazonaws.com/?action=GetCallerIdentity&x-amz-signedheaders=x-k8s-aws-id&x-amz-date=%s&x-amz-expires=60", timeStr)))
+	validationErrorTest(t, "aws", toToken(fmt.Sprintf("https://sts.us-west-2.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAAAAAAAAAAAAAAAAA%%2F20220601%%2Fus-west-2%%2Fsts%%2Faws4_request&X-Amz-Date=%s&X-Amz-Expires=900&X-Amz-Security-Token=XXXXXXXXXXXXX&X-Amz-SignedHeaders=host%%3Bx-k8s-aws-id&x-amz-credential=eve&X-Amz-Signature=999999999999999999", timeStr)), "input token was not properly formatted: duplicate query parameter found:")
 }
 
 func TestVerifyHTTPError(t *testing.T) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.