CVE-2024-9779

HIGH EPSS 35.1%
Published Dec 17, 20241y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Dec 17, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

CVSS Details

Base Score
7.5
Exploitability
2.2
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
35.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-266

References 5

  • access.redhat.com https://access.redhat.com/security/cve/CVE-2024-9779
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2317916
  • github.com https://github.com/open-cluster-management-io/ocm/pull/325
  • github.com https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0
  • github.com https://github.com/open-cluster-management-io/registration-operator/issues/361

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.