CVE-2022-31677

Name of the Vulnerable Software and Affected Versions Pinniped Supervisor versions prior to 0.19.0

Description An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor. A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. Access tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token to request a new access token after the access token's advertised expiration time elapses. Due to a bug in the token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user's backend session data is deleted, approximately nine hours after their session started.

Recommendations For versions prior to 0.19.0, upgrade the Supervisor to version 0.19.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable token exchange feature until a patch is available. Avoid using expired access tokens in the affected endpoint until the issue is resolved. There are no known workarounds other than upgrading the Supervisor, especially for users of v0.13.0 or newer.