{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T06:43:42.488","vulnerabilities":[{"cve":{"id":"CVE-2024-9779","sourceIdentifier":"secalert@redhat.com","published":"2024-12-17T23:15:05.603","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name \"cluster-manager\" which is bound to a ClusterRole also named \"cluster-manager\", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster."},{"lang":"es","value":"Se encontró una falla en Open Cluster Management (OCM) cuando un usuario tiene acceso a los nodos de trabajo que contienen las implementaciones de cluster-manager o klusterlet. La implementación de cluster-manager utiliza una cuenta de servicio con el mismo nombre \"cluster-manager\" que está vinculada a un ClusterRole también llamado \"cluster-manager\", que incluye el permiso para crear recursos de pod. Si esta implementación ejecuta un pod en un nodo controlado por un atacante, este puede obtener el token de cluster-manager y robar cualquier token de cuenta de servicio mediante la creación y el montaje de la cuenta de servicio de destino para controlar todo el clúster."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":4.7}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2024-9779","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2317916","source":"secalert@redhat.com"},{"url":"https://github.com/open-cluster-management-io/ocm/pull/325","source":"secalert@redhat.com"},{"url":"https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0","source":"secalert@redhat.com"},{"url":"https://github.com/open-cluster-management-io/registration-operator/issues/361","source":"secalert@redhat.com"}]}}]}