CRITICAL🇵🇱 Wersja polska

CVE-2024-36539

CVSS 9.8v3.1pub. 2024-07-24upd. 2025-06-27

Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

🤖 AI Analysis
How it works

Incorrect permission configuration (CWE-277) in Contour v1.28.3 causes the service account token to be accessible in a way that does not require authentication. An attacker remotely, without any required permissions or user interaction, can obtain this token. The obtained service account token can then be used for further privilege escalation in the Kubernetes environment.

Impact

An attacker can gain access to sensitive data and escalate their privileges in the environment, potentially taking control over Kubernetes cluster resources managed by Contour.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references. It is also recommended to audit service account permissions in the Kubernetes environment and restrict access to service tokens in accordance with the principle of least privilege.

Who is affected

Contour (Projectcontour) in version v1.28.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Projectcontour Contour

    APP
    Projectcontour
    1.28.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-41246HIGH8.1ten sam produkt

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1....

CVE-2021-32783HIGH8.5ten sam produkt

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially cra...

CVE-2020-15127HIGH7.5ten sam produkt

In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances ...