CVE-2024-9779 – open-cluster-management.io/ocm

Package

Manager: go
Name: open-cluster-management.io/ocm
Vulnerable Version: >=0 <0.13.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00124 pctl0.32401

Details

Open Cluster Management vulnerable to Trust Boundary Violation A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

Metadata

Created: 2024-12-18T00:31:23Z
Modified: 2024-12-18T15:43:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-jhh6-6fhp-q2xp/GHSA-jhh6-6fhp-q2xp.json
CWE IDs: ["CWE-501"]
Alternative ID: GHSA-jhh6-6fhp-q2xp
Finding: F089
Auto approve: 1