Lucene search

Redhat.comRH:CVE-2024-4369

HistoryApr 30, 2024 - 9:23 p.m.

CVE-2024-4369

2024-04-3021:23:33

redhat.com

access.redhat.com

info disclosure

openshift

image registry operator

azure

environment variable

pod definition

azure service account

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

An information disclosure flaw was found in OpenShift’s internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator’s Azure service account.

References

bugzilla.redhat.com/show_bug.cgi?id=2278035

nvd.nist.gov/vuln/detail/CVE-2024-4369

www.cve.org/CVERecord?id=CVE-2024-4369

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for RH:CVE-2024-4369