CVE-2024-6840

Published Sep 12, 2024

Last updated 2 months ago

CVSS medium 6.6

Overview

Description
An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
Source
secalert@redhat.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.6
Impact score
4.7
Exploitability score
1.3
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
Severity
MEDIUM

Weaknesses

secalert@redhat.com
CWE-285

Social media

Hype score
Not currently trending

References