VDB

GCVE-110-CLOUD-2020-0010

GCVE-110-CLOUD-2020-0010
Advisory Published
Vulnetix · Advisory published October 6, 2020
Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). Multiple issues were identified in the authenticator that could have allowed exploitation, namely (1) a lax regular expression used to verify presigned URLs; (2) HTTP client redirect follow (due to using Golang HTTP client in its default configuration); (3) use of the Golang URL.Query function (which silently drops parameters that Go considers invalid, rather than raising an error and rejecting invalid tokens); and (4) no verification that the cluster uses Go versions newer than 1.12 (as older versions are vulnerable to request smuggling).

Affected Products

VendorProductVersionsPlatforms
AWSCloud Services
AWSIAM
AWSEKS
AWSConfig
AWSSES

References

advisory
advisory

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›