Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistRedhatCVELIST:CVE-2024-4369
HistoryApr 30, 2024 - 11:49 p.m.

CVE-2024-4369 Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure

2024-04-3023:49:02
CWE-526
redhat
www.cve.org
2
cve-2024-4369
information disclosure
openshift
azure
environment variable
pod definition
azure service account

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0

Percentile

15.5%

JSON

An information disclosure flaw was found in OpenShift’s internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator’s Azure service account.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.14",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-image-registry-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.14.0-202406112008.p0.g36b3cca.assembly.stream.el8",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.14::el9",
      "cpe:/a:redhat:openshift:4.14::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.15",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/ose-cluster-image-registry-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.15.0-202406060836.p0.gf577b35.assembly.stream.el9",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.15::el9",
      "cpe:/a:redhat:openshift:4.15::el8"
    ]
  }
]

Related

vulnrichment 1
redhat 2
cve 1
nvd 1
redhatcve 1
vulnrichment
vulnrichment
CVE-2024-4369 Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure
2024-04-30 23:49:02
redhat
redhat
(RHSA-2024:3881) Moderate: OpenShift Container Platform 4.14.30 bug fix and security update
2024-06-19 14:15:55
(RHSA-2024:3889) Important: OpenShift Container Platform 4.15.18 security update
2024-06-18 23:27:53
cve
cve
CVE-2024-4369
2024-05-01 00:15:06
nvd
nvd
CVE-2024-4369
2024-05-01 00:15:06
redhatcve
redhatcve
CVE-2024-4369
2024-04-30 21:23:33

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0

Percentile

15.5%

JSON
Related for CVELIST:CVE-2024-4369
vulnrichment1redhat2cve1nvd1redhatcve1