An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Sep 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 12 Sep 2024 16:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account. |
Title | automation-controller: Gain access to the k8s API server via job execution with Container Group | Automation-controller: gain access to the k8s api server via job execution with container group |
First Time appeared |
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside |
|
CPEs | cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8 cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9 cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8 cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9 |
|
Vendors & Products |
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside |
|
References |
|
Sun, 08 Sep 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat ansible Automation Platform |
|
CPEs | cpe:/a:redhat:ansible_automation_platform:2.4::el8 cpe:/a:redhat:ansible_automation_platform:2.4::el9 |
|
Vendors & Products |
Redhat
Redhat ansible Automation Platform |
Thu, 05 Sep 2024 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | automation-controller: Gain access to the k8s API server via job execution with Container Group | |
Weaknesses | CWE-285 | |
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-09-12T16:35:08.921Z
Updated: 2024-11-24T18:00:46.488Z
Reserved: 2024-07-17T17:51:16.353Z
Link: CVE-2024-6840
Vulnrichment
Updated: 2024-09-12T16:54:30.512Z
NVD
Status : Awaiting Analysis
Published: 2024-09-12T17:15:05.773
Modified: 2024-09-12T18:14:03.913
Link: CVE-2024-6840
Redhat