CVE-2024-36539
Published: 24 July 2024
Summary
CVE-2024-36539 is a critical-severity Insecure Inherited Permissions (CWE-277) vulnerability in Projectcontour Contour. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-36539 is an insecure permissions vulnerability (CWE-277) affecting Contour version 1.28.3. The flaw stems from overly permissive access controls that expose a service account token, enabling unauthorized retrieval of sensitive data and subsequent privilege escalation. It carries a CVSS 3.1 base score of 9.8, reflecting network-exploitable conditions with no required authentication or user interaction.
An unauthenticated remote attacker can obtain the service account token and leverage it to access sensitive information or elevate privileges within the affected Contour deployment. The EPSS score stands at 0.1398 with no material change from its recorded peak. The provided references consist of disclosure Gists that do not detail patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36151
Vulnerability details
Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.