An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
History

Thu, 12 Sep 2024 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 12 Sep 2024 16:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
Title automation-controller: Gain access to the k8s API server via job execution with Container Group Automation-controller: gain access to the k8s api server via job execution with container group
First Time appeared Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside
CPEs cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8
cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9
cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8
cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9
Vendors & Products Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside
References

Sun, 08 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat ansible Automation Platform
CPEs cpe:/a:redhat:ansible_automation_platform:2.4::el8
cpe:/a:redhat:ansible_automation_platform:2.4::el9
Vendors & Products Redhat
Redhat ansible Automation Platform

Thu, 05 Sep 2024 11:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title automation-controller: Gain access to the k8s API server via job execution with Container Group
Weaknesses CWE-285
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-09-12T16:35:08.921Z

Updated: 2024-11-24T18:00:46.488Z

Reserved: 2024-07-17T17:51:16.353Z

Link: CVE-2024-6840

cve-icon Vulnrichment

Updated: 2024-09-12T16:54:30.512Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-12T17:15:05.773

Modified: 2024-09-12T18:14:03.913

Link: CVE-2024-6840

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-05T09:09:00Z

Links: CVE-2024-6840 - Bugzilla