Home > Vulnerability Database > CVE-2024-3744

Mend.io Vulnerability Database

CVE-2024-3744

Good to know:

Date: May 14, 2024

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

Language: Go

Severity Score

6.5

Related Resources (9)

Url: https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/e11ff3dc2c03894cde692213308f9991e7bbd5bf

Url: https://github.com/advisories/GHSA-qjqg-4wg7-957h

Url: https://github.com/kubernetes/kubernetes/issues/124759

Url: https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/a1b7446de942136419f07394efeef804523f87ae

Url: http://www.openwall.com/lists/oss-security/2024/05/09/4

Url: https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3744

Url: https://github.com/kubernetes-sigs/azurefile-csi-driver

Url: https://www.mend.io/vulnerability-database/CVE-2024-3744

Severity Score

6.5

Weakness Type (CWE)

Insertion of Sensitive Information into Log File

CWE-532

Top Fix

Upgrade Version

Upgrade to version sigs.k8s.io/azurefile-csi-driver - v1.29.4;sigs.k8s.io/azurefile-csi-driver - v1.30.1

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3744

Good to know:

Date: May 14, 2024

Language: Go

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?