CVE-2024-9779
Dec. 17, 2024, 11:15 p.m.
Tags
CVSS Score
Product(s) Impacted
Open Cluster Management (OCM)
Description
A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.
Weaknesses
CWE-501
Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.
CWE ID: 501Date
Published: Dec. 17, 2024, 11:15 p.m.
Last Modified: Dec. 17, 2024, 11:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
secalert@redhat.com
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N