Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Incorrect permission configuration (CWE-277) in Contour v1.28.3 causes the service account token to be accessible in a way that does not require authentication. An attacker remotely, without any required permissions or user interaction, can obtain this token. The obtained service account token can then be used for further privilege escalation in the Kubernetes environment.
An attacker can gain access to sensitive data and escalate their privileges in the environment, potentially taking control over Kubernetes cluster resources managed by Contour.
Patches available from the vendor should be applied in accordance with references. It is also recommended to audit service account permissions in the Kubernetes environment and restrict access to service tokens in accordance with the principle of least privilege.
Contour (Projectcontour) in version v1.28.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProjectcontour Contour
APPProjectcontour1.28.3
Related vulnerabilities
Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1....
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially cra...
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances ...