CVE-2024-4369 MEDIUM

CVE-2024-4369: Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure

Weakness CWE-526
Published April 30, 2024
Last update February 25, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.

Key dates

02Disclosure timeline

April 30, 2024 CVE published
February 25, 2026 Record updated