CVE-2024-4369— Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-4369
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure
Source: NVD (National Vulnerability Database)
Vulnerability Description
An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过环境变量导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Red Hat OpenShift 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Red Hat OpenShift是美国红帽(Red Hat)公司的一款平台即服务(PaaS)云计算平台,它支持构建、测试、部署和运行应用程序。 Red Hat OpenShift存在安全漏洞,该漏洞源于存在信息泄露,攻击者可以使用获取的客户端密钥作为注册表操作员服务帐户执行操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat OpenShift Container Platform 4.14 | v4.14.0-202406112008.p0.g36b3cca.assembly.stream.el8 ~ * | cpe:/a:redhat:openshift:4.14::el9 | |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | v4.15.0-202406060836.p0.gf577b35.assembly.stream.el9 ~ * | cpe:/a:redhat:openshift:4.15::el9 |
II. Public POCs for CVE-2024-4369
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-4369
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-526
- CVE-2026-40153
PraisonAIAgents Affected by Environment Variable Secret Exfi - CVE-2025-36105
IBM Planning Analytics Advanced Certified Containers is vuln - CVE-2025-27899
Multiple vulnerabilities in IBM Java SDK affecting Db2 Recov - CVE-2025-36017
IBM Controller Information Disclosure - CVE-2025-9162
Org.keycloak/keycloak-model-storage-service: variable inject
V. Comments for CVE-2024-4369
No comments yet