Information Exposure Through Environmental Variables Affecting github.com/openshift/cluster-image-registry-operator package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENSHIFTCLUSTERIMAGEREGISTRYOPERATOR-6748545
- published 1 May 2024
- disclosed 30 Apr 2024
- credit Unknown
Introduced: 30 Apr 2024
CVE-2024-4369 Open this link in a new tabHow to fix?
There is no fixed version for github.com/openshift/cluster-image-registry-operator.
Overview
github.com/openshift/cluster-image-registry-operator is a The registry operator manages a singleton instance of the openshift registry. It manages all configuration of the registry including creating storage.
Affected versions of this package are vulnerable to Information Exposure Through Environmental Variables due to the exposure of AZURE_CLIENT_SECRET through an environment variable defined in the pod definition, limited to Azure environments. An attacker controlling an account with sufficient permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
Note
This is only exploitable if the attacker has high enough permissions to access pod information within the specified namespace.