CVE-2022-23551

CVE-2022-23551 is a medium-severity vulnerability in Microsoft Azure Ad Pod Identity with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.

Key facts

Description

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.

Frequently asked questions

What is CVE-2022-23551?
aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.
How severe is CVE-2022-23551?
CVE-2022-23551 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over local access with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2022-23551 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-23551?
CVE-2022-23551 affects Microsoft Azure Ad Pod Identity. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-23551?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2022-23551 published?
CVE-2022-23551 was published on 2022-12-21 and last updated on 2026-06-17.

References

Affected products (1)

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →