Cyber Resilience

CVE-2024-36539

Critical

Published: 24 July 2024

Published
24 July 2024
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1398 94.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36539 is a critical-severity Insecure Inherited Permissions (CWE-277) vulnerability in Projectcontour Contour. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-36539 is an insecure permissions vulnerability (CWE-277) affecting Contour version 1.28.3. The flaw stems from overly permissive access controls that expose a service account token, enabling unauthorized retrieval of sensitive data and subsequent privilege escalation. It carries a CVSS 3.1 base score of 9.8, reflecting network-exploitable conditions with no required authentication or user interaction.

An unauthenticated remote attacker can obtain the service account token and leverage it to access sensitive information or elevate privileges within the affected Contour deployment. The EPSS score stands at 0.1398 with no material change from its recorded peak. The provided references consist of disclosure Gists that do not detail patches or mitigation steps.

EU & UK References

Vulnerability details

Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

projectcontour
contour
1.28.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References