Lucene search

[email protected]NVD:CVE-2024-4369

HistoryMay 01, 2024 - 12:15 a.m.

CVE-2024-4369

2024-05-0100:15:06

CWE-526

[email protected]

web.nvd.nist.gov

openshift

image registry

information disclosure

azure

environment variable

pod definition

attacker

permissions

namespace

client secret

registry operator

azure service account

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

An information disclosure flaw was found in OpenShift’s internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator’s Azure service account.

References

access.redhat.com/errata/RHSA-2024:3881

access.redhat.com/errata/RHSA-2024:3889

access.redhat.com/security/cve/CVE-2024-4369

bugzilla.redhat.com/show_bug.cgi?id=2278035

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-4369

vulnrichment1 redhat2 cve1 cvelist1 redhatcve1