2280517 – (CVE-2024-3744) CVE-2024-3744 azure-file-csi-driver: exposure of service account tokens in logs

Bug 2280517 (CVE-2024-3744) - CVE-2024-3744 azure-file-csi-driver: exposure of service account tokens in logs

Summary: CVE-2024-3744 azure-file-csi-driver: exposure of service account tokens in logs

Keywords:
Status:	NEW
Alias:	CVE-2024-3744
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2280518
TreeView+	depends on / blocked

Reported:	2024-05-15 04:15 UTC by Robb Gatica
Modified:	2024-05-30 22:44 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in azure-file-csi-driver. Anyone with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-05-15 04:15:17 UTC

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

https://github.com/kubernetes/kubernetes/issues/124759
https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ

Note You need to log in before you can comment on or make changes to this bug.