Security Issue in Azure File CSI Driver Allows Access to Service Account Tokens
CVE-2024-3744

6.5MEDIUM

Key Information:

Vendor: Kubernetes
Status: Azure-file-csi-driver
Vendor: CVE Published:; 15 May 2024

Summary

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

Affected Version(s)

azure-file-csi-driver v1.29.3

azure-file-csi-driver v1.30.0

References

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

https://github.com/kubernetes/kubernetes/issues/124759

issue-tracking

http://www.openwall.com/lists/oss-security/2024/05/09/4

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 15, 2024

Credit

Weizhi Chen @cvvz