The below issue was reported to ProdSec by Simon Pasquier: In OCP, the telemeter-client pod running in the openshift-monitoring has an annotation containing the cluster's pull secret for the cloud.openshift.com and quay.io registries. The cause of the bug is that we use the token string concatenated with the hash [2] instead of writing the token string to the hash object and calling Sum() with a nil slice. The impact is that any user which can read the definition of the telemeter-client pod and/or deployment gets access to the pull secret token. Users with permissions from the cluster-reader clusterrole already have access to the original pull secret because they can read the "pull-secret" Secret in the openshift-config namespace. The issue has been present since OCP 4.12 [3] [4]. [1] https://issues.redhat.com/browse/OCPBUGS-28650 [2] https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135 [3] https://bugzilla.redhat.com/show_bug.cgi?id=2114721 [4] https://github.com/openshift/cluster-monitoring-operator/pull/1747
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887