CVE-2022-2385: 
NixOS vulnerability analysis and mitigation

A high-severity security vulnerability (CVE-2022-2385) was discovered in the AWS IAM Authenticator for Kubernetes, affecting versions v0.5.2 through v0.5.8. The vulnerability, discovered by Gafnit Amiga of Lightspin and disclosed on July 11, 2022, allows an allow-listed IAM identity to modify their username and potentially escalate privileges within the EKS (Elastic Kubernetes Service) cluster (Kubernetes Issue, SecurityOnline).

The vulnerability stems from a query parameter validation issue within the authenticator plugin when configured to use the 'AccessKeyID' template parameter within query strings. The flaw allowed attackers to craft malicious tokens with arbitrary action values, bypass cluster ID signing, and manipulate the AccessKeyID value. In clusters using aws-iam-authenticator, if an {{AccessKeyID}} was mapped to an IAM user with cluster admin privileges, any non-privileged user could potentially escalate their privileges to cluster admin. The vulnerability has been assigned a CVSS v3.1 score indicating high severity (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (CloudVulnDB).

The vulnerability could enable attackers to escalate privileges within a Kubernetes cluster, potentially gaining unauthorized access to cluster admin privileges. This impact is particularly significant in environments where the AccessKeyID template parameter is used to construct usernames and different access levels are based on these usernames (SecurityOnline).

As of June 28, 2022, all EKS clusters worldwide have been automatically updated with a new version of the AWS IAM Authenticator for Kubernetes containing the fix. For self-hosted installations, users should upgrade to aws-iam-authenticator version v0.5.9. As a temporary workaround, users can mitigate the vulnerability by avoiding the use of the {{AccessKeyID}} template value to construct usernames (SecurityOnline, CloudVulnDB).