Vulnerability DatabaseCVE-2024-53351

CVE-2024-53351:
vulnerability analysis and mitigation

Overview

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. This vulnerability affects PipeCD versions up to and including v0.49.3, a GitOps-style continuous delivery platform. The vulnerability was discovered and disclosed on March 21, 2025 (NVD).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-276 (Incorrect Default Permissions). The issue stems from insecure permissions that could allow attackers to compromise all Secrets components in Kubernetes, potentially leading to cluster-wide compromise (GitHub Advisory).

Impact

The vulnerability can directly compromise all Secrets components in Kubernetes, potentially leading to further compromise of other components in the cluster or even complete takeover of the entire Kubernetes cluster. This allows attackers to access sensitive information and potentially gain unauthorized administrative access to the affected systems (GitHub Advisory).

Mitigation and workarounds

Users should upgrade to a version newer than PipeCD v0.49.3 to address this vulnerability. The issue has been identified and fixed in subsequent releases (PipeCD Repository).