CVE-2024-9779— Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-9779
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权授予不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Open Cluster Management 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Open Cluster Management(OCM)是Open Cluster Management开源的一个社区驱动的项目。专注于 Kubernetes 应用程序的多集群和多云场景。 Open Cluster Management存在安全漏洞,该漏洞源于当用户可以访问包含集群管理器或 klusterlet 部署的工作节点时,开放集群管理 (OCM) 中会发现一个漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 | - | cpe:/a:redhat:acm:2 |
II. Public POCs for CVE-2024-9779
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-9779
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-266
- CVE-2026-8148
NAVER MYBOX Explorer for Windows 安全漏洞 - CVE-2026-43510
CISA manage.get.gov insecure portfolio administrative privil - CVE-2026-43535
OpenClaw < 2026.4.14 - Authorization Context Reuse in Collec - CVE-2026-42368
GeoVision LPC2011/LPC2211 Web Interface privilege escalation - CVE-2026-22337
WordPress Directorist Social Login plugin < 2.1.4 - Privileg
V. Comments for CVE-2024-9779
No comments yet