CVE-2024-53350
Published: 21 March 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2024-53350 is a vulnerability in Kubeslice version 1.3.1 stemming from insecure permissions that enable attackers to access the service account's token, facilitating privilege escalation. Assigned CWE-269 (Improper Privilege Management), it carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.
The vulnerability can be exploited by unauthenticated attackers over the network, though it requires high attack complexity. Successful exploitation grants access to the service account token, allowing privilege escalation within the affected Kubeslice environment.
Mitigation guidance and further details are available in the referenced advisories, including a GitHub Gist at https://gist.github.com/HouqiyuA/1cb964206e0d6bebd1c57a124c55fa03, the Kubeslice GitHub repository at https://github.com/kubeslice/kubeslice, and documentation at https://kubeslice.io/documentation/open-source/1.3.0. Security practitioners should review these sources for patches or workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in network-accessible Kubeslice service allows remote unauthenticated access to service account token due to insecure permissions, directly enabling exploitation of public-facing app for credential access and privilege escalation.