An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
Metrics
Affected Vendors & Products
References
History
Sun, 24 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-04-30T23:49:02.382Z
Updated: 2024-12-06T14:52:14.083Z
Reserved: 2024-04-30T19:17:21.633Z
Link: CVE-2024-4369
Vulnrichment
Updated: 2024-08-01T20:40:47.021Z
NVD
Status : Awaiting Analysis
Published: 2024-05-01T00:15:06.890
Modified: 2024-11-21T09:42:42.850
Link: CVE-2024-4369
Redhat