CVE-2024-3744

MEDIUM

azurefile-csi-driver < 1.29.4 - Sensitive Information Exposure in Log Files

Title source: llm

Description

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/05/09/4

Mailing List mailing-list

https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ

Issue Tracking issue-tracking

https://github.com/kubernetes/kubernetes/issues/124759

Scores

CVSS v3 6.5

EPSS 0.0027

EPSS Percentile 18.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (3)

Kubernetes/azure-file-csi-driver v1.29.3 - <=

Kubernetes/azure-file-csi-driver v1.30.0

sigs.k8s.io/azurefile-csi-driver 0 - 1.29.4Go

Published May 15, 2024

Tracked Since Feb 18, 2026