Remote Attacker May Discover Repository Pull Secret via Basic Login Credentials
CVE-2024-1139
7.7HIGH
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Openshift Container Platform 4.12
- Red Hat Openshift Container Platform 4.13
- Red Hat Openshift Container Platform 4.14
- Red Hat Openshift Container Platform 4.15
- Vendor
- CVE Published:
- 25 April 2024
Summary
A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.
Affected Version(s)
Red Hat OpenShift Container Platform 4.12 <= v4.12.0-202405091536.p0.g8906207.assembly.stream.el8
Red Hat OpenShift Container Platform 4.13 <= v4.13.0-202404200313.p0.gb518881.assembly.stream.el8
Red Hat OpenShift Container Platform 4.14 <= v4.14.0-202404161544.p0.gf350a68.assembly.stream.el8
CVSS V3.1
Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Risk change from: null to: 7.7 - (HIGH)
Vulnerability published.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Calvinna Caswara (noris network AG) and Patrick Gress (noris network AG) for reporting this issue.