Create TokenReviews (validate arbitrary tokens)
Information Disclosure
Medium
Overview
| Field | Value |
|---|---|
| ID | 1049 |
| Name | Create TokenReviews (validate arbitrary tokens) |
| Risk Category | Information Disclosure |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | authentication.k8s.io |
| Resources | tokenreviews |
| Verbs | create |
| Tags | CredentialAccess InformationDisclosure RBACQuery |
Description
Allows submitting TokenReview requests to the API server to validate arbitrary tokens. This can be used to probe the validity and attributes of tokens, potentially discovering active service account tokens or user tokens, leading to information disclosure about authentication.