CVE-2024-3744

MEDIUM

Sigs.k8s.io Azurefile-csi-driver < 1.29.4 - Log Information Exposure

Title source: rule

Description

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/05/09/4

Mailing List mailing-list

https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ

Issue Tracking issue-tracking

https://github.com/kubernetes/kubernetes/issues/124759

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 6.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (3)

Kubernetes/azure-file-csi-driver v1.29.3 - <=

Kubernetes/azure-file-csi-driver v1.30.0

sigs.k8s.io/azurefile-csi-driver 0 - 1.29.4Go

Published May 15, 2024

Tracked Since Feb 18, 2026