CVE-2024-9779

7.5 HIGH
Published: December 17, 2024 Modified: February 25, 2026
View on NVD

Description

A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://access.redhat.com/security/cve/CVE-2024-9779
Source: secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2317916
Source: secalert@redhat.com
https://github.com/open-cluster-management-io/ocm/pull/325
Source: secalert@redhat.com
https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0
Source: secalert@redhat.com
https://github.com/open-cluster-management-io/registration-operator/issues/361
Source: secalert@redhat.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.1%
28th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-266

Related CVEs

CVE-2026-4624 7.3
CVE-2026-4623 7.3
CVE-2026-33308 6.8
CVE-2026-3079 6.5
CVE-2026-33307 7.5