CVE-2024-53351
Published: 21 March 2025
Summary
CVE-2024-53351 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Linuxfoundation Pipecd. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific flaw in PipeCD v0.49 involving insecure permissions that expose the service account token.
Mandates protection of authenticator content such as service account tokens from unauthorized disclosure and modification through proper management and secure handling.
Establishes and documents secure configuration settings to prevent incorrect default permissions that allow access to sensitive service account tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated vulnerability in the public-facing PipeCD service allows direct access to the service account token, enabling initial access via public-facing application exploitation (T1190) and resulting in privilege escalation (T1068).
NVD Description
Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.
Deeper analysisAI
CVE-2024-53351 involves insecure permissions in PipeCD version 0.49, classified under CWE-276 (Incorrect Default Permissions). This vulnerability enables attackers to access the service account's token, resulting in escalation of privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
Remote, unauthenticated attackers can exploit this flaw over the network to obtain the service account token and escalate privileges within the affected PipeCD deployment. No special access or user involvement is needed, allowing widespread potential for compromise in environments running the vulnerable version.
Mitigation details and further advisories are available in the referenced GitHub Gist at https://gist.github.com/HouqiyuA/948a808b8bd48b17b37a4d5e0b6fb005, the PipeCD GitHub repository at https://github.com/pipe-cd/pipecd, and the project website at https://pipecd.dev/. Security practitioners should consult these sources for patching instructions and remediation steps.
Details
- CWE(s)