6.6

CVE-2024-6840

EPSS 0.14%
Published 12.09.2024 17:15:05
Last modified 12.09.2024 18:14:03
Source secalert@redhat.com
Teams watchlist Login
Open Login

An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/ansible/ansible

≫

Package automation-controller

Default Statusunaffected

Version < 4.5.10-1

Version 4.5.10-1

Status affected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 8

Default Statusaffected

Version < *

Version 0:4.5.10-1.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 9

Default Statusaffected

Version < *

Version 0:4.5.10-1.el9ap

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.352

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	6.6	1.3	4.7	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://access.redhat.com/errata/RHSA-2024:6428

https://access.redhat.com/security/cve/CVE-2024-6840

https://bugzilla.redhat.com/show_bug.cgi?id=2298492

https://nvd.nist.gov/vuln/detail/CVE-2024-6840

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6840

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6840

EUVD