CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9779 – Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
https://notcve.org/view.php?id=CVE-2024-9779
17 Dec 2024 — A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token ... • https://access.redhat.com/security/cve/CVE-2024-9779 • CWE-501: Trust Boundary Violation •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5042 – Submariner-operator: rbac permissions can allow for the spread of node compromises
https://notcve.org/view.php?id=CVE-2024-5042
17 May 2024 — A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. Se encontró un fallo en el proyecto Submariner. Debido a permisos innecesarios de control de acceso basados en roles, un atacante privilegiado puede ejecutar un contenedor malicioso en un nodo que puede permitirle robar token... • https://access.redhat.com/security/cve/CVE-2024-5042 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 8.3EPSS: 0%CPEs: 43EXPL: 0CVE-2024-3727 – Containers/image: digest type does not guarantee valid type
https://notcve.org/view.php?id=CVE-2024-3727
09 May 2024 — A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques. • https://access.redhat.com/errata/RHSA-2024:0045 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1139 – Cluster-monitoring-operator: credentials leak
https://notcve.org/view.php?id=CVE-2024-1139
25 Apr 2024 — A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret. Se encontró una vulnerabilidad de fuga de credenciales en el operador de monitoreo de clúster en OCP. Este problema puede permitir que un atacante remoto que tenga credenciales de inicio de sesión básicas verifique el manifiesto del pod para descubrir un secreto de extracción del repositori... • https://access.redhat.com/errata/RHSA-2024:1887 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-0874 – Coredns: cd bit response is cached and served later
https://notcve.org/view.php?id=CVE-2024-0874
25 Apr 2024 — A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. Se encontró una falla en coredns. Este problema podría provocar que se devuelvan entradas de caché no válidas debido a un almacenamiento en caché implementado incorrectamente. • https://access.redhat.com/errata/RHSA-2024:0041 • CWE-524: Use of Cache Containing Sensitive Information •