Create TokenReviews (validate arbitrary tokens)
Information Disclosure
Medium
Overview
| Field | Value |
|---|---|
| ID | 1049 |
| Name | Create TokenReviews (validate arbitrary tokens) |
| Risk Category | Information Disclosure |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | authentication.k8s.io |
| Resources | tokenreviews |
| Verbs | create |
| Tags | CredentialAccess InformationDisclosure RBACQuery |
Description
Allows submitting TokenReview requests to the API server to validate arbitrary tokens. This can be used to probe the validity and attributes of tokens, potentially discovering active service account tokens or user tokens, leading to information disclosure about authentication.
Abuse Scenarios
- Submit a TokenReview to validate an arbitrary token and get its user info.
# Replace <kubernetes-api-server> with your API server address (e.g., from 'kubectl cluster-info')
# Replace <your-token> with your current authentication token
# Replace <token-to-review> with the token you want to validate
curl -k -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -X POST \
--data '{"apiVersion":"authentication.k8s.io/v1","kind":"TokenReview","spec":{"token":"<token-to-review>"}}' \
https://<kubernetes-api-server>/apis/authentication.k8s.io/v1/tokenreviews
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X POST --data '{"apiVersion":"authentication.k8s.io/v1","kind":"TokenReview","spec":{"token":"eyJhbGciOiJSUzI..."}}' https://127.0.0.1:6443/apis/authentication.k8s.io/v1/tokenreviews