A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

epss

{'score': 0.00082}


Wed, 18 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 17 Dec 2024 23:15:00 +0000

Type Values Removed Values Added
Title open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
First Time appeared Redhat
Redhat acm
CPEs cpe:/a:redhat:acm:2
Vendors & Products Redhat
Redhat acm
References

Sat, 12 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

Fri, 11 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
Weaknesses CWE-268
CWE-501
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T21:05:20.428Z

Reserved: 2024-10-10T03:51:08.007Z

Link: CVE-2024-9779

cve-icon Vulnrichment

Updated: 2024-12-18T15:15:25.394Z

cve-icon NVD

Status : Received

Published: 2024-12-17T23:15:05.603

Modified: 2024-12-17T23:15:05.603

Link: CVE-2024-9779

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-11-30T00:00:00Z

Links: CVE-2024-9779 - Bugzilla

cve-icon OpenCVE Enrichment

No data.