CVE-2024-1139: Withdrawn Advisory: Cluster Monitoring Operator contains a credentials leak
(updated )
Withdrawn Advisory
This advisory has been withdrawn because the vulnerability does not affect a package in the Go registry. For more information, see the discussion here. This link is maintained to preserve external references.
Original Description
A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.
References
- access.redhat.com/errata/RHSA-2024:1887
- access.redhat.com/errata/RHSA-2024:1891
- access.redhat.com/errata/RHSA-2024:2047
- access.redhat.com/errata/RHSA-2024:2782
- access.redhat.com/security/cve/CVE-2024-1139
- bugzilla.redhat.com/show_bug.cgi?id=2262158
- github.com/advisories/GHSA-x5m7-63c6-fx79
- github.com/openshift/cluster-monitoring-operator
- github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go
- github.com/openshift/cluster-monitoring-operator/commit/1cfbe9ffafe1e43f8f87a451b72fddf5d76fa4e3
- github.com/openshift/cluster-monitoring-operator/pull/1747
- nvd.nist.gov/vuln/detail/CVE-2024-1139
Code Behaviors & Features
Detect and mitigate CVE-2024-1139 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →