CRITICAL🇵🇱 Wersja polska

CVE-2024-36532

CVSS 10.0v3.1pub. 2024-06-21upd. 2026-04-15

Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

🤖 AI Analysis
How it works

An attacker can obtain a service account token as a result of improperly granted permissions in the kruise application. The obtained token allows authentication as a service account in the Kubernetes cluster. This way, the attacker gains access to resources and data that the compromised account has permissions for, leading to privilege escalation.

Impact

An attacker can gain access to sensitive data and perform privilege escalation in the environment, potentially taking control of Kubernetes cluster resources.

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to update kruise to a version higher than v1.6.2 and verify and restrict service account permissions according to the principle of least privilege.

Who is affected

kruise v1.6.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References