{"api_version":"1","generated_at":"2026-07-09T22:53:06+00:00","cve":"CVE-2022-31677","urls":{"html":"https://cve.report/CVE-2022-31677","api":"https://cve.report/api/cve/CVE-2022-31677.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-31677","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-31677"},"summary":{"title":"CVE-2022-31677","description":"An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.","state":"PUBLIC","assigner":"security@vmware.com","published_at":"2022-08-29 15:15:00","updated_at":"2022-09-07 18:41:00"},"problem_types":["CWE-613"],"metrics":[],"references":[{"url":"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9","name":"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9","refsource":"MISC","tags":[],"title":"Insufficient session expiration of access tokens in Pinniped Supervisor before v0.19.0 causes user to be able to continue session beyond what might be allowed by proper use of the refresh token · Advisory · vmware-tanzu/pinniped · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-31677","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31677","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"31677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"pinniped","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-31677","ASSIGNER":"security@vmware.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Pinniped Supervisor","version":{"version_data":[{"version_value":"Pinniped Supervisor (before v0.19.0)"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Insufficient Session Expiration issue"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9","url":"https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"}]},"description":{"description_data":[{"lang":"eng","value":"An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow."}]}},"nvd":{"publishedDate":"2022-08-29 15:15:00","lastModifiedDate":"2022-09-07 18:41:00","problem_types":["CWE-613"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.5}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:vmware:pinniped:*:*:*:*:*:*:*:*","versionStartIncluding":"0.3.0","versionEndExcluding":"0.19.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}