Upstream information

CVE-2024-9779 at MITRE

Description

A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  CNA (Red Hat)
Base Score 7.5
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Impact Low
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20241220T214820-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14608


SUSE Timeline for this CVE

CVE page created: Fri Oct 11 00:00:14 2024
CVE page last modified: Mon Dec 23 00:54:19 2024