An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
History

Sun, 24 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-30T23:49:02.382Z

Updated: 2024-12-06T14:52:14.083Z

Reserved: 2024-04-30T19:17:21.633Z

Link: CVE-2024-4369

cve-icon Vulnrichment

Updated: 2024-08-01T20:40:47.021Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-01T00:15:06.890

Modified: 2024-11-21T09:42:42.850

Link: CVE-2024-4369

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-30T00:00:00Z

Links: CVE-2024-4369 - Bugzilla