CVE-2022-31677 — Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped

Description

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

How to fix CVE-2022-31677

To remediate CVE-2022-31677, upgrade the affected package to a fixed version below.

—upgrade to 0.19.0 or later
—upgrade to 0.19.0 or later
—upgrade to 0.19.0 or later

Is CVE-2022-31677 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.3.0, < 0.19.0
>= 0.3.0, < 0.19.0
>= 0.3.0, < 0.19.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31677
PATCHgithub.com/vmware-tanzu/pinniped
WEBgithub.com/vmware-tanzu/pinniped/pull/1264
WEBgithub.com/vmware-tanzu/pinniped/releases/tag/v0.19.0
WEB